Publications

Oct 24, 2008

SP 800-57 Part 3

DRAFT Recommendation for Key Management, Part 3 Application-Specific Key Management Guidance

NIST announces the release of a draft of Part 3 of Special Publication 800-57, Recommendation for Key Management: Application-Specific Key Management Guidance. This Recommendation provides guidance when using the cryptographic features of current systems. It is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in the normal use of the application. Recommendations are given for a select set of applications, namely: PKI, IPsec, TLS, S/MIME, Kerberos, OTAR, DNSSEC and Encrypted File Systems. Other topics will be added at a later time, and commenters are invited to suggest such topics. Please submit comments to part3-sp800-57-comments@nist.gov with "Comments on Draft 800-57, Part 3" in the subject line. The comment period closes on January 16th, 2009.
 
To view SP 800-57 Part 1 and 2 document, please go to the Special Publications page to download / view Part 1 and 2.

Sep 29, 2008

SP 800-82

DRAFT Guide to Industrial Control Systems (ICS) Security

The final public draft of SP 800-82 is available for public comment. It provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the second public draft, which was released in 2007. NIST requests comments on NIST SP 800-82 by November 30, 2008. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

Sept. 19, 2008

SP 800-70 Rev. 1

DRAFT National Checklist Program for IT Products--Guidelines for Checklist Users and Developers

Draft Special Publication 800-70 Revision 1, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 1 replaces the original version of the document, which was released in 2005.

NIST requests comments on draft SP 800-70 Revision 1 by October 31, 2008. Please submit comments to 800-70comments@nist.gov with "Comments SP 800-70" in the subject line.

September 10, 2008

SP 800-116

DRAFT (second draft) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

The National Institute of Standards and Technology (NIST) is pleased to announce a 2nd draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Major changes in this draft include selection of outcome-based PIV authentication mechanisms and addition of PACS conformance best practice guideline. Federal agencies and private organizations as well as individuals are invited to review the 2nd draft document and submit comments using the comment template form provided on the website.

Comments should be submitted to PIV_comments@nist.gov with "Comments on Public 2nd Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on September 24, 2008.

August 19, 2008

SP 800-37 Rev. 1

DRAFT Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach

NIST, in cooperation with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), announces the completion of an interagency project to develop a common process to authorize federal information systems for operation. The initial public draft of NIST Special Publication 800-37, Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, is now available for a six-week public comment period. The publication contains the proposed new security authorization process for the federal government (currently commonly referred to as certification and accreditation, or C&A). The new process is consistent with the requirements of the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130, Appendix III, promotes the concept of near real-time risk management based on continuous monitoring of federal information systems, and more closely couples information security requirements to the Federal Enterprise Architecture (FEA) and System Development Life Cycle (SDLC). The historic nature of the partnership among the Civil, Defense, and Intelligence Communities and the rapid convergence of information security standards and guidelines for the federal government will have a significant impact on the federal government's ability to protect its information systems and networks. The convergence of security standards and guidelines is forging ahead with the development of a series of new CNSS policies and instructions that closely parallel the NIST security standards and guidelines developed in response to FISMA. The CNSS policies and instructions which address the specific areas of security categorization, security control specification, security control assessment, risk management, and security authorization, coupled with the current NIST publications will provide a more unified information security framework for the federal government and its contracting base. The unified approach to information security is brought together in part by the update to NIST Special Publication 800-37, Revision 1, which provides a common security authorization process and references the NIST and CNSS publications for the national security and non national security communities, respectively. The convergence activities mentioned above along with tighter integration of security requirements into the FEA and SDLC processes will promote more consistent and cost-effective information security and trusted information sharing across the federal government. Comments on the IPD of SP 800-37, Revision 1 should be provided by September 30, 2008 and forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

Aug. 13, 2008

NIST IR-7511

DRAFT Security Content Automation Protocol (SCAP) Validation Program Test Requirements

Draft NIST Interagency Report (IR) 7511, Security Content Automation Protocol (SCAP) Validation Program Test Requirements, Version 1.1 is now available for public comment. This report describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
NIST requests comments on Draft NISTIR 7511 by September 15, 2008. Please submit comments to IR7511comments@nist.gov with "Comments IR 7511" in the subject line.

Jul 31, 2008

SP 800-106

DRAFT Randomized Hashing Digital Signatures (2nd draft)

NIST announces the release of the 2nd draft Special Publication 800-106, Randomized Hashing for Digital Signatures. This Recommendation provides a technique to randomize messages that are input to a cryptographic hash function during the generation of digital signatures. Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-106" in the subject line. The comment period closes on September 5th, 2008.

July 9, 2008

SP 800-107

DRAFT Recommendation for Applications Using Approved Hash Algorithms

NIST announces the release of the 2nd draft Special Publication 800-107, Recommendation for Applications Using Approved Hash Algorithms. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3, such as digital signature applications, Keyed-hash Message Authentication Codes (HMACs) and Hash-based Key Derivation Functions (HKDFs). Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-107" in the subject line. The comment period closes on October 9, 2008.

July 9, 2008

SP 800-41 Rev. 1

DRAFT Guidelines on Firewalls and Firewall Policy

Draft SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy, provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based, and personal firewalls. SP 800-41 Revision 1 updates the original publication, which was released in 2002. NIST requests comments on draft SP 800-41 Revision 1 by August 15, 2008. Please submit comments to 800-41comments@nist.gov with "Comments SP 800-41" in the subject line.

May 30, 2008

NIST IR-7502

DRAFT The Common Configuration Scoring System (CCSS)

Draft NIST Interagency Report (IR) 7502, The Common Configuration Scoring System (CCSS), is now available for public comment. This document proposes a specification for CCSS, a set of standardized measures for the characteristics and impacts of software security configuration issues. NISTIR 7502 also provides several examples of how CCSS measures and scores would be determined for a diverse set of configuration issues. Once CCSS is finalized, CCSS data can assist organizations in making sound decisions as to how configuration issues should be addressed and can provide data to be used in quantitative assessments of host security.

NIST requests comments on Draft NISTIR 7502 by July 3, 2008. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

April 3, 2008

SP 800-39

DRAFT Managing Risk from Information Systems: An Organizational Perspective

NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. EComments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

Feb 26, 2008

SP 800-63 -1

DRAFT Electronic Authentication Guidelines

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for public comment. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. Comments will be accepted until April 10, 2008. Comments should be forwarded via email to eauth-comments@nist.gov

Dec 28, 2007

FIPS-186 -3 Appendices

DRAFT RSA Strong Primes - Digital Signature Standard (DSS)

NIST requests comments on revised text for FIPS 186-3 related to the generation of RSA key pairs. Please provide comments by February 1, 2008 to ebarker@nist.gov.

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

Jul 13, 2007

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules

Draft FIPS 140-3 is the proposed revision of FIPS 140-2. The draft specifies five security levels instead of the four found in FIPS 140-2; has a separate section for software security; requires mitigation of non-invasive attacks when validating at higher security levels; introduces the concept of public security parameters; allows the deference of certain self-tests until specific conditions are met; and strengthens the requirements on user authentication and integrity testing. Please submit electronic comments to: FIPS140-3@nist.gov, with "Comments on Draft 140-3" in the subject line. ADDRESSES: Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive--Stop 8930. DATES: Comments must be received on or before October 11, 2007.

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.

Mar 13, 2006

FIPS-186 -3

DRAFT Digital Signature Standard (DSS)

Draft FIPS 186-3 is the proposed revision of FIPS 186-2. The draft defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This draft includes requirements for obtaining the assurances necessary for valid digital signatures. Methods for obtaining these assurances are provided in Draft NIST Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications. (see write-up for draft SP 800-89 below) Please submit comments to Elaine Barker at NIST with "Comments on Draft 186-3" in the subject line. The comment period closes on June 12, 2006 - Comment period is NOW closed.

See note above dated December 28, 2007 regarding RSA Strong Primes.