NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

News & Events

News -- 2009

Draft NIST Interagency Report (IR) 7581 is available for review and comment
August 11, 2009
NIST announces that draft NIST IR 7581, System and Network Security Acronyms and Abbreviations, is now available for public comment. The report contains a list of acronyms and abbreviations for selected system and network security terms, along with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system and network security publications. Readers are encouraged to submit additional security acronyms and abbreviations, particularly for emerging technologies, for consideration as additions to the report.
 
NIST requests comments on Draft NIST IR 7581 by September 11, 2009. Please submit comments to securityacronyms@nist.gov.

NIST Releases Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
July 31, 2009
NIST announces the final publication of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems. The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems. In addition to the expansion of the security control catalog, Special Publication 800-53, Revision 3 contains significant changes including:

  • A simplified, six-step Risk Management Framework;
  • Additional security controls and control enhancements for advanced cyber threats;
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment;
  • Revised security control structure with a new references section;
  • Elimination of security requirements from Supplemental Guidance sections;
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services;
  • Updates to security control baselines consistent with current threat information and known cyber attacks;
  • Organization-level security controls for managing information security programs;
  • Guidance on the management of common controls within organizations; and
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.

The important changes described in Special Publication 800-53, Revision 3 are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. Following the final publication of Special Publication 800-53, Revision 3, the collaborative work between the national security and non national security communities will continue with updates to other key publications such as:

  • NIST Special Publications 800-37, Applying the Risk Management Framework to Federal Information Systems;
  • NIST Special Publication 800-39, Integrated Enterprise-wide Risk Management: Organization, Mission, and Information Systems View;
  • NIST Special Publication 800-30, Guide for Conducting Risk Assessments; and
  • NIST Special Publication 800-53A, Guide for Assessing Security Controls in Federal Information Systems and Organizations.
The schedule for the development of all key FISMA-related publications based on new milestones established among the participating partners in the Joint Task Force Transformation Initiative can be found at: http://csrc.nist.gov/groups/SMA/fisma/schedule.html.

NIST Releases Draft Special Publication 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP)
July 31, 2009
 
NIST announces that Draft Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-126 also provides an overview of SCAP, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces.
 
NIST requests comments on draft SP 800-126 by August 31, 2009. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.

Comments Received on White Paper: The Transitioning of Cryptographic Algorithms and Key Sizes
July 27, 2009
Comments received as of July 24, 2009.
 
Announcement From July 2: Comments are requested on the white paper "The Transitioning of Cryptographic Algorithms and Key Sizes" by August 3, 2009. Please provide comments to CryptoTransitions@nist.gov.

Draft Special Publication 800-65 Revision 1 has been Released
July 14, 2009
NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments. NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.

FISMA Implementation Project Announced New Publications Milestone Schedule
July 7, 2009
The FISMA Implementation Project has announced a new milestone schedule for its key publications in development or undergoing modification. These publications include:

  • SP 800-53, Revision 3: Recommended Security Controls for Federal Information Systems and Organizations, (Projected Final: July 31, 2009)
  • SP 800-37, Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Formerly Guide for the Security Certification and Accreditation of Federal Information Systems), (Projected Final: October 2009)
  • SP 800-39: Integrated Enterprise-wide Risk Management: Organization, Mission, and Information Systems View (Formerly Managing Risk from Information Systems: An Organizational Perspective), (Projected Final: December 2009)
  • SP 800-53A, Revision 1: Guide for Assessing the Security Controls in Federal Information Systems and Organizations, (Projected Final: January 2010)
  • SP 800-30, Revision 1: Guide for Conducting Risk Assessments (Formerly Risk Management Guide for Information Technology Systems), (Projected Final: January 2010)

The original completion dates for the publications listed above have been changed to reflect the new priorities associated with the Information Security Transformation Initiative (the current project underway with the Department of Defense, the Office of the Director of National Intelligence, and Committee on National Security Systems to develop a common set of information security standards and guidelines for the federal government and its contractors). Any future changes to the milestone dates will be posted on the NIST web site as soon as the information is available from the Joint Task Force Transformation Initiative Working Group.

White Paper: The Transitioning of Cryptographic Algorithms and Key Sizes
July 2, 2009
Comments are requested on the white paper "The Transitioning of Cryptographic Algorithms and Key Sizes" by August 3, 2009. Please provide comments to CryptoTransitions@nist.gov.

NIST Computer Security Division announces the release of two documents (1 draft NIST IR and 1 final Special Publication (SP)).
June 16, 2009
 
#1: SP 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, has been published as final. SP 800-46 Revision 1 is intended to help organizations understand and mitigate the risks associated with the technologies they use for telework. The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it also provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is a comprehensive update to the original SP 800-46, which was published in 2002.

#2: The second public draft of NIST IR 7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities, is now available for public comment. This report proposes a specification for CCSS, a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores would be determined. Once CCSS is finalized and CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7502 by July 17, 2009. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

Mark-up Version of SP 800-53 Revision 3 now available
June 10, 2009
The mark-up copy of Draft Special Publication 800-53 Rev. 3 is NOW available. Please accept our apologies for the delay of releasing this mark-up copy.

FIPS Publication 186-3 has been released
June 10, 2009
NIST announces the adoption of FIPS 186-3, The Digital Signature Standard (see the Federal Register Notice). FIPS 186-3 is a revision of FIPS 186-2. The FIPS specifies three techniques for the generation and verification of digital signatures: DSA, ECDSA and RSA. This revision increases the length of the keys allowed for DSA, provides additional requirements for the use of ECDSA and RSA, and includes requirements for obtaining assurances necessary for valid digital signatures.

NIST Announces the Release of the Final Public Draft of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
June 3, 2009
 
NIST announces the release of the final public draft of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. The final public draft of Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.
 
The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems. The important changes in Special Publication 800-53, Revision 3 are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. The final publication of Special Publication 800-53, Revision 3 is targeted for July 31, 2009. Comments will be accepted until July 1, 2009 and should be sent to sec-cert@nist.gov. NIST will post the markup version of Special Publication 800-53, Revision 3, on or around June 10, 2009.

Risk Management Framework (RMF) - FAQs and Quick Start Guides (QSGs) Now Available
May 15, 2009
 
NIST’s Computer Security Division has released Frequently Asked Questions (FAQs) and Quick Start Guides (QSGs) for Step 1 Categorize and Step 6 Monitor of the Risk Management Framework (RMF). The FAQs and QSGs for steps 2-5 are still in development and will become available when finalized. The RMF 6-step chart posted on the website contains links to NIST Special Publications (SP), Federal Information Processing Standards (FIPS), FAQs and QSGs associated with the respective steps in the RMF.

Working Definition of Cloud Computing Released
May 14, 2009
 
NIST announces that its working definition of cloud computing is available. Researchers worked in collaboration with industry and government to draft the definition that serves as a foundation for its research and future publication on the topic. Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Researchers are studying cloud architectures, economics, security and deployment strategies for the federal government.
 
Comments on the definition can be sent to cloud@nist.gov

Draft Special Publication 800-117
May 5, 2009
 
NIST announces that Draft Special Publication (SP) 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains how IT product and service vendors can adopt SCAP's capabilities within their offerings.
 
NIST requests comments on draft SP 800-117 by June 12, 2009. Please submit comments to 800-117comments@nist.gov with "Comments SP 800-117" in the subject line.

Draft Special Publication 800-118
April 21, 2009
 
NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

Special Publication 800-85A-1
April 3, 2009
 
NIST is pleased to announce the release of SP800-85A-1 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Card Application and the PIV Middleware interfaces for conformance to specifications in SP 800-73-2 (Interfaces for Personal Identity Verification). The document is a revision for the earlier version (March 2006), which reflected TA and DTR from the superseded SP 800-73-1, 2006 Edition. The new SP 800-85A-1 is based on TA and DTRs from SP 800-73-2 (September 2008 Edition) and includes the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and 3. A short summary of the changes is available here.

Draft Special Publication (SP) 800-16 Rev. 1, Information Security Training Requirements: A Role- and Performance-Based Model
March 20, 2009
 
NIST announces the release of the Initial Public Draft (IPD) of Special Publication 800-16, Revision 1, Information Security Training Requirements: A Role- and Performance-Based Model. This publication is now available for public comment.
 
The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.

NIST Computer Security Division Released 2 NIST IRs (1 Draft and 1 Final)
March 6, 2009
#1: Draft NIST Interagency Report (IR) 7564, Directions in Security Metrics Research, is now available for public comment. This report provides an overview of the security metrics area and identifies possible avenues of research that could be pursued to advance the state of the art.
 
NIST requests that comments be submitted by electronic mail by March 27, 2009. Please send them to IR7564comments@nist.gov with "Comments IR 7564" in the subject line.
 
#2. NIST Interagency Report (IR) 7536, 2008 Computer Security Division Annual Report is now available. Please note - the electronic version on CSRC is not the final printed version. The final printed version should be available by the end of March to first week of April if you would like to see a colorful version.

Draft SP 800-53, Revision 3 (Markup) is now available
February 27, 2009
 
The following document provides a line-by-line comparison between SP 800-53, Revision 2 and Draft SP 800-53, Revision 3. It should also be noted that the section of the publication addressing scoping considerations for scalability, was inadvertently omitted from the public draft and will be reinstated in the final publication.

NIST Computer Security Division Released 2 Draft Documents: Draft Special Publication 800-81 Revision 1 and also Draft NIST IR 7517 - see below for details
February 27, 2009
 
#1 --- NIST has drafted a new version of the document “Secure Domain Name System (DNS) Deployment Guide (SP 800-81)”. This document, after a review and comment cycle will be published as NIST SP 800-81 Revision 1. There will be two rounds of public comments and this is our posting for the first one. Federal agencies and private organizations as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to SecureDNS@nist.gov before March 31, 2009. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. To learn more about this document please visit the DRAFTS page on CSRC. Once on drafts page, there is a short list of the changes that has been made to this draft document from the original SP 800-81 released in 2006.
 
#2 --- Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring System (CMSS), is now available for public comment. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. NISTIR 7517 also provides examples of how CMSS measures and scores would be determined. Once CMSS is finalized, CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please submit comments to IR7517comments@nist.gov with "Comments IR 7517" in the subject line.

NIST Releases DRAFT Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security
February 24, 2009
 
NIST announces that Draft Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, has been released for public comment. SP 800-46 Revision 1 is intended to help organizations understand and mitigate the risks associated with the technologies they use for telework. The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it also provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is a comprehensive update to the original SP 800-46, which was published in 2002.
 
NIST requests comments on draft SP 800-46 Revision 1 by March 27, 2009. Please submit comments to 800-46comments@nist.gov with "Comments SP 800-46" in the subject line.

NIST Computer Security Division has announced the Safeguarding Health Information: Building Assurance Through HIPAA Security – A CMS & NIST HIPAA Security Rule Conference website is now available
February 23, 2009
 
Information regarding the Safeguarding Health Information: Building Assurance through Security – A CMS & NIST HIPAA Security Rule Conference is now available on the CSRC website. This conference will be held on May 18-19, 2009 at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD. For more information regarding this conference along with the agenda, registration & hotel accommodations, directions to NIST and conference contacts can be found at the conference website on CSRC.

NIST is proud to announce the release of Special Publication 800-106 and Special Publication (SP) 800-107
February 20, 2009
 
NIST announces the release of Special Publication 800-106, Randomized Hashing for Digital Signatures. This Recommendation provides a technique to randomize the input messages to hash functions prior to the generation of digital signatures to strengthen security of the digital signatures.
 
NIST announces the release of Special Publication 800-107, Recommendation for Using Approved Hash Algorithms. This Recommendation provides guidance on using the Approved hash algorithms in digital signatures applications, Keyed-hash Message Authentication Codes (HMACs), key derivation functions (KDFs) and random number generators.

Comments Received for Draft Special Publication 800-120
February 19, 2009<
Please see the following file for the comments received on the draft Special Publication 800-120 during the public comment period.

Draft SP800-85A-1 "PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 compliance)"
February 6, 2009
NIST has a revised version of NIST Special Publication (SP) 800-85A “PIV Card Application and Middleware Interface Test Guidelines (SP 800-73 compliance)”. The revised document is titled Draft SP 800-85A-1 "PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-2 compliance)”. The revisions include the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and 3. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85A-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVtesting@nist.gov with "Comments on Public Draft SP 800-85A-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on February 28, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication..

DRAFT SP 800-53 Rev.3, Recommended Security Controls for Federal Information Systems and Organizations
February 5, 2009
NIST announces the release of the Initial Public Draft (IPD) of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. This is the first major update of Special Publication 800-53 since its initial publication in December 2005. We have received excellent feedback from our customers during the past three years and have taken this opportunity to provide significant improvements to the security control catalog. In addition, the changing threat environment and growing sophistication of cyber attacks necessitated specific changes to the allocation of security controls and control enhancements in the low-impact, moderate-impact, and high-impact baselines. We also continue to work closely with the Department of Defense and the Office of the Director of National Intelligence under the auspices of the Committee on National Security Systems on the harmonization of security control specifications across the federal government. And lastly, we have added new security controls to address organization-wide security programs and introduced the concept of a security program plan to capture security program management requirements for organizations. The privacy-related material, originally scheduled to be included in Special Publication 800-53, Revision 3, will undergo a separate public review process in the near future and be incorporated into this publication, when completed. Comments will be accepted until March 27, 2009. Comments should be forwarded via email to sec-cert@nist.gov.

NIST Announces the release of 2 Draft documents: (1) DRAFT Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) and (2) DRAFT NIST IR 7497
January 13, 2009
(1)  NIST announces that draft Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), is now available for public comment. SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling.
 
NIST requests comments on draft SP 800-122 by March 13, 2009. Please submit comments to 800-122comments@nist.gov with "Comments SP 800-122" in the subject line.

(2)  NIST Interagency Report (IR) 7497, Draft Security Architecture Design Process for Health Information Exchanges (HIEs), is intended to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that applies them specifically to the HIE domain. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.

Please submit your comments to draft-nistir7497-comments@nist.gov. The comment period for draft NIST IR 7497 closes on Friday March 13, 2009.

For 2008 News