NIST, Computer Security Division, Computer Security Resource Center
News & Events
News Archive - 2005
This page contains archived news items. These items are no longer updated and serve a historical purpose. To access news items from other years, please click on that year. If you have any questions, please contact the CSRC Webmaster.
For current news items, please visit the News section of the website.
2007 | 2006 | 2005 | 2004 | 2003 | 2002
SP 800-21-1 Released
December 22, 2005
NIST is pleased to announce the release of NIST Special Publication 800-21-1, the second edition of Guideline for Implementing Cryptography in the Federal Government. This revision updates and replaces the November 1999 edition of Guideline for Implementing Cryptography in the Federal Government. Many of the references and cryptographic techniques contained in the first edition of NIST SP 800-21 have been amended, rescinded, or superseded since its publication. The second edition also offers new tools and techniques. Go to Special Publications page to view/download SP 800-21-1.
Draft SP 800-90 Available for Public Comment
December 16, 2005
NIST Draft Special Publication 800-90, Recommendation for Random Number Generation Using Deterministic Random Bit Generators is available for public review and comment. Please visit the CSRC Draft Publications page to learn more about this draft document.
SP 800-76 Available for Public Comment
December 15, 2005
NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification, is now available for a four week public comment period. This document specifies technical acquisition and formatting requirements for the biometric credentials of the PIV system, including the PIV Card itself. It enumerates required procedures and formats for fingerprints, fingerprint templates and facial images by appropriate instantiation of values and practices generically laid out in published biometric standards. Please submit comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-76" in the subject line. The comment period closes at 5:00 EST on Friday, January 13th, 2006.
SP 800-77 Released
December 15, 2005
NIST is pleased to announce the release of Special Publication 800-77: Guide to IPsec VPNs. IPsec is a framework of open standards for ensuring private communications over public networks. Its most common use is the creation of virtual private networks (VPNs). IPsec provides several types of data protection, including maintaining confidentiality and integrity, authenticating the origin of data, preventing packet replay and traffic analysis, and providing access protection. This document describes the three primary models for VPN architectures: gateway-to-gateway, host-to-gateway, and host-to-host. These models can be used, respectively, to connect two secured networks, such as a branch office and headquarters, over the Internet; to protect communications for hosts on unsecured networks, such as traveling employees; or to secure direct communications between two computers that require extra protection. The guide describes the components of IPsec. It also presents a phased approach to IPsec planning and implementation that can help in achieving successful IPsec deployments. The five phases of the approach are as follows: identify needs, design the solution, implement and test a prototype, deploy the solution, and manage the solution. Special considerations affecting configuration and deployment are analyzed, and three test cases are presented to illustrate the process of planning and implementing IPsec VPNs.
Four Publications Released
November 17, 2005: NIST is pleased to announce four new final publications (1): An updated SP 800-40 (version 2), Creating a Patch and Vulnerability Management Program; (2): SP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist; (3): SP 800-83, Guide to Malware Incident Prevention and Handling; and (4): NISTIR 7250, Cell Phone Forensic Tools: An Overview and Analysis
(1): SP 800-40 is an updated version of the publication originally published in August 2002. IT provides guidance on creating a security patch and vulnerability remediation program and testing the effectiveness of that program. It describes the principles and methodologies that organizations can use to manage exposure to vulnerabilities through the timely deployment of patches. Although the primary emphasis is on designing and implementing a patch and vulnerability management program, the document also contains guidance for technical staff responsible for applying patches, deploying patch and vulnerability management solutions, and disseminating related information.
(2): SP 800-68 was created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional service pack 2 systems. The guide documents the methods that system administrators can use to implement each security setting recommended. The principal goal of the document is to recommend and explain tested, secure settings for Windows XP workstations with the objective of simplifying the administrative burden of improving the security of Windows XP systems in four types of environments: SOHO, enterprise, and two custom environments, specialized security-limited functionality and legacy.
(3): SP 800-83 provides recommendations for improving an organization's malware incident prevention measures through several layers of controls. It also gives extensive recommendations for enhancing an organization's existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. The guide focuses on providing practical strategies for detection, containment, eradication, and recovery from malware incidents in managed and non-managed environments. The recommendations in the publication address several forms of malware, as well as various malware transmission mechanisms, including removable media and network services such as e-mail and Web browsing.
(4): NISTIR 7250 is an overview of current forensic software tools designed for the acquisition, examination, and reporting of data residing on cellular handheld devices, and reviews their capabilities and limitations. All but the most basic phones provide individuals with some ability to load additional applications, store and process personal and sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As digital technology evolves, the capabilities of these devices continue to improve rapidly. When cell phones or other cellular devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of information present on the device.
SP 800-87 Released
October 20, 2005
NIST is pleased to announce the release of Special Publication 800-87 (SP 800-87) Codes for the Identification of Federal and Federally-Assisted Organizations. SP 800-87 provides the organizational codes necessary to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique (CHUID) and is a companion document to FIPS 201.
Two Publications Released
October 19, 2005
The NIST Computer Security Division is pleased to announce publication of NIST Special Publication 800-85 (SP800-85), PIV Middleware and PIV Card Application Conformance Test Guidelines (SP800-73 Compliance). SP800-85 provides an approach for development of conformance tests for PIV middleware and PIV card application products. The approach includes Derived Test Requirements (DTR) and Test Assertions (TA). The DTRs and TAs are based on SP 800-73 Interfaces for Personal Identity Verification. The Guidelines are to be used by the developers of software modules and testing laboratories.
SP 800-21 Available for Public Comment
September 15, 2005
The NIST Computer Security Division is pleased to announce, for your review and comment, a draft revision of NIST Special Publication 800-21, Guideline for Implementing Cryptography in the Federal Government. This draft revision updates and replaces the November 1999 edition of Guideline for Implementing Cryptography in the Federal Government. Many of the references and cryptographic techniques contained in the first edition of NIST SP 800-21 have been amended, rescinded, or superseded since its publication. The current draft also offers new tools and techniques. The document may be downloaded as an Adobe Acrobat file from the CSRC Draft Publications page. Please provide comments by October 17, 2005 to ebarker@nist.gov, specifying "SP 800-21 Comments" in the subject field.
Proposed Revisions to FIPS 201
September 02, 2005
The National Institute of Standards and Technology proposes revisions to paragraphs 2.2 and 5.3.1 of Federal Information Processing Standard 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors. Before recommending these proposed changes to FIPS 201 to the Secretary of Commerce for review and approval, NIST invites comments from the public, users, the information technology industry, and Federal, State and local government organizations concerning the proposed changes. Comments on these proposed changes must be received by 30 days after publication of the Federal Register notice of the change proposal.
SP 800-57, Part 2 Published
August 26, 2005
The NIST Computer Security Division is pleased to announce publication of NIST Special Publication 800-57, Recommendation for Key Management - Part 2, Best Practices for Key Management Organization. The Recommendation for Key Management is divided into three parts. Part 1 contains general guidance. Part 2 provides guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices. Part 3 will provide guidance to system administrators regarding the use of cryptographic algorithms in specific applications, select products to satisfy specific operational environments, and configure the products appropriately.
SP 800-57, Part 1 Published
August 17, 2005
The NIST Computer Security Division is pleased to announce publication of NIST Special Publication 800-57, Recommendation for Key Management - Part 1, General. The Recommendation for Key Management is divided into three parts. Part 1 contains general guidance. Part 2 will be available in a few days and will provide guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices. Part 3 is under development and will provide guidance to system administrators regarding the use of cryptographic algorithms in specific applications, select products to satisfy specific operational environments, and configure the products appropriately.
Division Chief for the Computer Security Division (CSD) Sought
August 16, 2005
The National Institute of Standards and Technology (NIST), Information Technology Laboratory (ITL) is seeking a highly qualified individual for the position of Division Chief for the Computer Security Division (CSD). The Division Chief provides executive direction for... Click here to learn more about the Division Chief vacancy for the Computer Security Division.
SP 800-26, Revision 1 Available for Public Comment
August 15, 2005
The NIST Computer Security Division is pleased to announce for your review and comment draft NIST Special Publication 800-26 Revision 1, Guide for Information Security Program Assessments and System Reporting Form. This draft document brings the assessment process up to date with key standards and guidelines developed by NIST. The document may be downloaded as an Adobe Acrobat file from the CSRC Drafts Publications page. Please provide comments by October 17, 2005 to sec-report@nist.gov.
Multiple Publications Released
August 11, 2005
NIST announces the following draft Special Publications (SP) are now available for public comment; 1) SP 800-40 version 2, Creating a Patch and Vulnerability Management Program, 2) SP 800-81, Secure DNS Deployment Guide, 3) SP 800-83, Guide to Malware Incident Prevention and Handling, 4) SP 800-84, Guide to Single-Organization IT Exercises, 5) SP 800-86, Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response, 6) SP 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations. These draft publications and requested dates for comments can be found on the CSRC Drafts publications page. Additionally, NIST is announcing the final publication of NIST Interagency Report (IR) 7206, Smart Cards and Mobile Device Authentication: An Overview and Implementation, NISTIR 7200, Proximity Beacons and Mobile Handheld Devices: Overview and Implementation, and SP 800-70, Security Configuration Checklists Program for IT Products.
Two Draft SPs Available for Public Comment
August 5, 2005
NIST announces the release of Draft Special Publication 800-85: PIV Middleware and PIV Card Application Conformance Test Guidelines (SP800-73 Compliance), is now available for a three week public comment period. These guidelines provide an approach for development of conformance tests for PIV middleware and PIV card application products. The approach includes Derived Test Requirements (DTR) and Test Assertions (TA). The DTRs and TAs are based on SP 800-73 Interfaces for Personal Identity Verification. The Guidelines are to be used by the developers of software modules and testing laboratories. Please submit comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-85" in the subject line. The comment period closes at 5:00 EST (US and Canada) on August 26th, 2005.
NVD Available
August 5, 2005
The ICAT vulnerability database has been completely rewritten and has become the National Vulnerability Database (NVD). It is available at http://nvd.nist.gov. NVD is a comprehensive cyber security vulnerability database that is updated daily with the latest vulnerabilities. From a single search engine, it integrates together all publicly available U.S. Government vulnerability resources and provides references to industry resources. It currently contains 11,823 NVD vulnerability summaries, 479 US-CERT cyber security alerts, 1085 US-CERT vulnerability notes, 776 OVAL queries, and almost 50,000 industry vulnerability references (visit NVD to learn more about any of these products).
Draft SP 800-18, Revision 1 Available for Public Comment
August 2, 2005
NIST's Computer Security Division is pleased to announce draft Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems. The draft publication brings the security planning process up to date with key standards and guidelines developed by NIST. The document may be downloaded as an Adobe Acrobat file from the CSRC Drafts Publications page. Please provide comments by September 12, 2005 to sec-plan@nist.gov.
GCM Recommended
August 1, 2005
NIST has decided to recommend the Galois Counter Mode (GCM) in an upcoming draft special publication, SP 800-38D. GCM is a parallelizable mode of the Advanced Encryption Standard (AES) algorithm that combines Counter mode encryption with authentication that is based on a universal hash algorithm. In light of public comments on GCM, NIST intends to restrict the tag sizes for the authentication service to larger values. GCM is intended for high-throughput applications that can take advantage of the parallelizability while tolerating the tag size restrictions. Information about the ongoing development effort for block cipher modes of operation, including the GCM submission documentation and public comments, is available through the modes home page.
SP 800-79 Published
July 27, 2005
NIST Announces of Publication of PIV Card Issuer (PCI) Accreditation Guidelines The Computer Security Division, responsible for the development and support of the Federal Information Processing Standard (FIPS) 201 for Personal Identity Verification of Federal Employees and Contractors, has published NIST Special Publication (SP) 800-79 entitled Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations. These Guidelines describe an assessment model that includes conformance testing (e.g., PIV component validation, PIV System testing and demonstration), certification, and accreditation. . Examples of PIV organization management structures, the attributes of PIV Card Issuers (PCIs) that are required and desired to demonstrate capability and reliability, the methods for assessing these attributes, and sample accreditation decision letters are included in the Guidelines. The Guidelines are to be used by Federal departments and agencies to accredit the capability and reliability of PCIs they establish or select to perform identity proofing, registration, and PIV Card issuing services. The Guidelines will be augmented as experience is gained by Federal departments and agencies in complying with FIPS 201 and extended so that a more detailed accreditation process may be performed when an interoperable PIV System is established.
SP 800-53A Released
July 15, 2005
NIST's Computer Security Division has completed the initial public draft of Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. The draft publication is one of a series of key standards and guidelines developed by NIST to help federal agencies improve their information technology security and comply with the Federal Information Security Management Act (FISMA) of 2002. Organizations can use Special Publication 800-53A to create viable assessment plans to determine the overall effectiveness of the security controls employed within organizational information systems. The guidance contained in this publication has been developed to help achieve more secure information systems within the federal government by: (i) enabling more consistent, comparable, and repeatable assessments of security controls; (ii) facilitating more cost-effective assessments of security control effectiveness; (iii) promoting a better understanding of the risks to organizational operations, organizational assets, or individuals resulting from the operation of information systems; and (iv) creating more complete, reliable, and trustworthy information for organizational officials-to support security accreditation decisions and annual FISMA reporting requirements.
NIST invites public comments on the draft guideline until 5 p.m. Eastern Daylight Time on August 31, 2005. Written comments on Special Publication 800-53A may be sent to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-53A, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930. Comments also may be submitted electronically to sec-cert@nist.gov.
FIPS 200 Available for Public Comment
July 15, 2005
NIST's Computer Security Division has completed the initial public draft of Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The draft standard is one of a series of key standards and guidelines developed by NIST to help federal agencies improve their information technology security and comply with the Federal Information Security Management Act (FISMA) of 2002. FIPS Publication 200 provides: (i) a specification for minimum security requirements for federal information and information systems; (ii) a standardized, risk-based approach (as described in FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems) for selecting security controls in a cost-effective manner; and (iii) links to NIST Special Publication 800-53 (Recommended Security Controls for Federal Information Systems) that recommends management, operational, and technical controls needed to protect the confidentiality, integrity, and availability of all federal information systems that are not national security systems. NIST invites public comments on the draft standard until 5 p.m. Eastern Daylight Time on Sept. 13, 2005. The document may be downloaded as an Adobe Acrobat file from the CSRC Drafts Publications page. Written comments on FIPS Publication 200 may be sent to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft FIPS Publication 200, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930. Comments also may be submitted electronically to draftfips200@nist.gov.
Draft SP 800-56 Available
July 6, 2005
Draft Special Publication 800-56, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography is now available for comment. Please visit the Computer Security Drafts Publications page to learn more details along with viewing this document.
Draft SP 800-79 Available for Public Comment
June 17, 2005
NIST's Computer Security Division, responsible for development and support of the Federal Information Processing Standard (FIPS 201) for Personal Identity Verification of Federal Employees and Contractors has completed the first draft of NIST SP 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, for public comment. Homeland Security Presidential Directive 12 specified that only organizations whose reliability has been accredited may issue PIV Cards to Federal employees and contractors. The Guidelines describe the tasks to be performed during the certification and accreditation processes which lead to accreditation and an approval to operate the PIV Card issuing services required in FIPS 201. The Guidelines may be used by Federal agencies in planning and designing their PIV Card issuing services. They may later be used by the agency to self accredit their capability and reliability to provide the services. The document can be accessed from the Drafts Publication page. Comments template, Question & Answer fact sheet, and e-mail address can be obtained by going to the Drafts page. Comments are due July 10, 2005.
SP 800-52 Announced
June 14, 2005
NIST is pleased to announce Special Publication 800-52, Guidelines on the Selection and Use of Transport Layer Security. This document is a guideline for implementing Transport Layer Security in the Federal Government to protect sensitive information. Included are recommendations on the selection of cipher suites. Many cipher suites provide either inadequate security or are non-compliant with Government standards.
Public Workshop Announced
June 13, 2005
NIST has announced a public workshop to provide additional guidance on Federal Information Processing Standards (FIPS) 201 implementation. The workshop is designed to provide clarifications and respond to the questions raised by the industry and Federal agencies. Further information about registration and the workshop can be found here.
FIPS 46-3 Withdrawn
May 19, 2005
NIST has announced the withdrawal of the (single) Data Encryption Standard (DES) as specified in FIPS 46-3. DES no longer provides the security that is needed to protect Federal government information. Federal government organizations are now encouraged to use FIPS 197, Advanced Encryption Standard (AES), which specifies a faster and stronger algorithm. For some applications, Federal government departments and agencies may use the Triple Data Encryption Algorithm as specified in NIST Special Publication 800-67.
SP 800-38B Released
May 18, 2005
NIST is pleased to announce that Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication has been finalized. This Recommendation specifies CMAC, a block cipher-based message authentication code. CMAC is an authentication mode of operation for any approved block cipher such as the AES algorithm. Information on this special publication and the development of modes of operation is available at the modes home page.
Workshop Announced
May 16, 2005
NIST to hold Cryptographic Hash Function Workshop (October 31-November 1, 2005). Recently a team of researchers reported that the SHA-1 function offers significantly less collision resistance than could be expected from a cryptographic hash function of its output size. NIST plans to host this workshop to solicit public input on how best to respond to the current state of research in this area. Please see http://www.nist.gov/hash-function for more information.
NISTIR 7219 Released
May 2, 2005
NIST Computer Security Division is proud to announce the release of NIST Interagency Report (IR) 7219: Computer Security Division - 2004 Annual Report.
SP 800-78 Available
April 25, 2005
NIST Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available. This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and the related Special Publications 800-73, Interfaces for Personal Identity Verification, and 800-76, Biometric Data Specification for Personal Identity Verification, that rely on cryptographic functions.
Draft 800-57 Available for Public Comment
April 21, 2005
Draft NIST Special Publication 800-57, Recommendation for Key Management, Parts 1 and 2 are available for public comment. Comments on Part 1 (General) are requested by June 3, 2005. Comments on Part 2 (Best Practices for Key Management Organizations) are requested by May 18, 2005.
Public Comments Wanted on Different Modes
April 14, 2005
As part of NIST's ongoing effort to update and develop modes of operation for use with the AES algorithm, NIST intends to recommend either the Galois Counter Mode (GCM) or the Carter-Wegman + Counter (CWC) mode. GCM and CWC are modes for authenticated encryption with associated data, combining Counter mode confidentiality with authentication that is based on a universal hash algorithm. Both GCM and CWC are parallelizable. The submission documents specifying GCM and CWC are available through the modes home page, http://nist.gov/modes. NIST invites comments on these two modes, including comments on intellectual property matters, by June 1, 2005, at EncryptionModes@nist.gov.
SP 800-73 Released
April 12, 2005
NIST is pleased to announce the release of Special Publication 800-73, Interfaces for Personal Identity Verification (document updated April 12 - original release date of SP 800-73 was April 8). (Errata sheet released April 12, 2005). SP 800-73 provides the specifications for interfacing with the Personal Identity Verification (PIV) Card as specified in FIPS 201. SP 800-73 provides a streamlined, ISO compliant unified card edge independent of the underlying card platform technology.
Public Comments Wanted on HSPD-12
April 8, 2005
OMB has published a request for comments in the Federal Register on their draft agency implementation guidance for HSPD #12. Comments are due to OMB by May 9, 2005.
SP 800-78 Available for Public Comment
March 28, 2005
NIST Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for a two week public comment period. This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and the related Special Publications 800-73, Interfaces for Personal Identity Verification, and 800-76, Biometric Data Specification for Personal Identity Verification, that rely on cryptographic functions. Please submit comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-78" in the subject line. It is requested that Federal organizations submit one consolidated/coordinated set of comments. The comment period closes at 5:00 EDT (US and Canada) on April 11th, 2005.
SP 800-66 Released
March 25, 2005
NIST is pleased to announce the release of Special Publication 800-66, An introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, is now available. This document can be used as an educational resource to support implementation of the HIPAA Security Rule. It identifies key NIST resources relevant to the specific security standards included in the Security Rule and provides implementation examples for each. The document is available on the Special Publications page.
Workshop Announced
March 18, 2005
The Technology Administration of the U.S. Department of Commerce has announced a half-day workshop to discuss the latest advances in Radio Frequency Identification (RFID) technology to include the benefits of RFID, technology development efforts, current and future applications, and privacy and security considerations.
Draft SP 38-B Available for Public Comment
March 10, 2005
The Draft NIST Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication is available for public comment. This Recommendation specifies a cipher-based MAC algorithm based on an approved block cipher such as the AES algorithm or TDEA. Information on this special publication and the development of modes of operation is available at the modes home page, http://nist.gov/modes. Comments will be accepted at EncryptionModes@nist.gov until April 25, 2005.
Second Draft SP 800-73 Available for Public Comment
March 8, 2005
NIST has revised the Special Publication 800-73 Second DRAFT (SP 800-73) in response to the comments received on the January 31st public draft. The SP 800-73 provides the specifications for interfacing with the Personal Identity Verification (PIV) Card as specified in FIPS 201. SP 800-73 provides a streamlined, ISO compliant unified card edge independent of the underlying card platform technology. Please submit your comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-73" in the subject line. It is requested that Federal organizations submit one consolidated/coordinated set of comments. The comment period closes at 5:00 EST (US and Canada) on March 22nd, 2005.
OMB Publishes FISMA Report
March 1, 2005
OMB has published its 2004 Federal Information Security Management Act (FISMA) Report to Congress. This report provides: 1) a summary of government-wide performance in the area of information technology security management; 2) an analysis of government-wide weaknesses in information technology security practices; and 3) a plan of action to improve information technology security performance.
SP 800-53 Released
February 28, 2005
NIST has completed Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This guideline provides a recommended set of security controls for low, moderate, and high impact information systems based upon the system's FIPS 199 security categorization. Special Publication 800-53 serves as NIST interim guidance on security controls for federal information systems until December 2005, which is the statutory deadline to publish minimum standards for all non-national security systems.
FIPS 201 Available
February 25, 2005
FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, developed in response to Homeland Security Presidential Directive #12, is now available. Details about the development of the new standard can be found on the NIST’s PIV webpages.
Comments Posted About SHA-1 Attacks
February 22, 2005
NIST has posted brief comments on the recent SHA-1 cryptanalytic attacks.
Opportunities Available at NIST
February 3, 2005
The Computer Security Division is seeking individuals to join our team at NIST. We are seeking highly qualified technical individuals with significant security research and implementation expertise. Specific areas of technical expertise are cryptography (algorithms, key management, authentication, hashing, etc), voting systems, networking protocols and services (BGP, IPsec, VOIP, 802.1x, etc), mobile and wireless systems, biometrics, malware, smart cards, identity proofing, identity management, intrusion detection, vulnerability analysis, security testing and assurance, access control, embedded systems, RFID and security checklist/hardening guides. Those with graduate degrees in cyber security, computer science, mathematics or closely related fields are particularly encouraged to apply. NIST maintains an "applicant supply file" which the Division reviews to identify potentially qualified applicants. If you are interested, please e-mail 1) a resume (no set format) indicating particular field(s) of interest AND 2) completed cover sheet with "RESUME" in the subject line to roback@nist.gov and kimberly.morgan@nist.gov. USA citizenship is required. EOE.
Draft SP 800-77 Available for Public Comment
January 31, 2005
NIST is pleased to announce new draft special publication 800-77, Guide to IPsec VPNs. IPsec is a framework of open standards for ensuring private communications over IP networks. The most common use is with virtual private networks (VPN). IPsec provides several types of data protection, including maintaining confidentiality and integrity, authenticating the origin of data, preventing packet replay and traffic analysis, and providing access protection. This document describes the three primary models for VPN architectures: gateway-to-gateway, host-to-gateway, and host-to-host. These models can be used, respectively, to connect two secured networks, such as a branch office and headquarters, over the Internet; to protect communications for hosts on unsecured networks, such as traveling employees; or to secure direct communications between two computers that require extra protection. The guide describes the components of IPsec. It also presents a phased approach to IPsec planning and implementation that can help in achieving successful IPsec deployments. The five phases of the approach are as follows: identity needs, design the solution, implement and test a prototype, deploy the solution, and manage the solution. Special considerations affecting configuration and deployment are analyzed, and three test cases are presented to illustrate the process of planning and implementing IPsec VPNs. Comments on SP 800-77 can be made until 3 March 2005. Please submit comments to IPsecpub@nist.gov.
SP 800-73 Available for Public Comment
January 31, 2005
NIST has revised the draft Special Publication 800-73 (SP 800-73) in response to the comments received on the November 8th public draft. The SP 800-73 provides the specifications for interfacing with the Personal Identity Verification (PIV) Card as specified in FIPS 201. Please note that SP 800-73 does not specify an implementation schedule. Also, note that the revised SP 800-73 is an abstraction of and compatible with both file system and virtual machine cards. It provides a streamlined, ISO compliant unified card edge independent of the underlying card platform technology. Please submit your comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-73" in the subject line. It is requested that Federal organizations submit one consolidated/coordinated set of comments. The comment period closes at 5:00 EST (US and Canada) on February 14th, 2005. Comments received after the comment period closes will be handled on as-time-is-available basis.
SP 800-65 Released
January 27, 2005
NIST is pleased to announce NIST Special Publication 800-65, Integrating IT Security into the Capital Planning and Investment Control Process. This publication describes a process and methodology for effectively addressing identification, prioritization and integration of security requirements into the IT investment process which can be used by agencies to build upon their existing processes if applicable. The guideline is available on the CSRC Special Publications page.
SP 800-53 Available for Public Comment
January 26, 2005
NIST has completed the final public draft of Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This draft guideline provides a recommended set of security controls for low, moderate, and high impact information systems based upon the system's FIPS 199 security categorization. Final publication is anticipated in February, 2005. Special Publication 800-53, when finalized, will serve as NIST interim guidance on security controls for federal information systems until December 2005, which is the statutory deadline to publish minimum standards for all non-national security systems. Comments may be sent to sec-cert@nist.gov until February 11, 2005.
Draft SP 800-76 Available for Public Comment
January 24, 2005
Based on the comments received on November 8th draft of FIPS 201, NIST has decided to move technical requirements for biometric data to a Special Publication 800-76, Biometric Data Specification for Personal Identity Verification. NIST is pleased to announce the draft of SP 800-76 for the public comments. The comment period for this draft is two weeks, ending on February 7th, 2005. Please direct all comments and questions to DraftFIPS201@nist.gov.
SP 800-58 Released
January 5, 2005
NIST is pleased to announce the release of NIST Special Publication 800-58 "Security Considerations for Voice Over IP Systems". Voice over Internet Protocol (VOIP) refers to the transmission of speech across data-style networks. This form of transmission is conceptually superior to conventional circuit switched communication in many ways. However, a plethora of security issues are associated with still-evolving VOIP technology. This publication introduces VOIP, its security challenges, and potential countermeasures for VOIP vulnerabilities.
HSPD-12 Meeting Adds Second Session
January 2, 2005
HSPD-12 Public Meeting - January 19, 2005 -- A second session has been formed, from 1:00-4pm. Due to the number of responses from individuals interested in attending this meeting, there will a second meeting in the afternoon at the same location. The afternoon session will cover the same topics. Because of space limitations, attendees may only attend one session. Attendees registered for the morning session, may not switch sessions. If you are on the waiting list, you will receive email confirmation; there is no need to contact NIST.
HSPD-12 Meeting Full
January 2, 2005
HSPD-12 Public Meeting - January 19, 2005 - Meeting information now available (The meeting has reached capacity and is now full. All people registering now will be put on a waiting list).