Publications

Aug. 11, 2009

NIST IR-7581

DRAFT System and Network Security Acronyms and Abbreviations

NIST announces that draft NIST IR 7581, System and Network Security Acronyms and Abbreviations, is now available for public comment. The report contains a list of acronyms and abbreviations for selected system and network security terms, along with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system and network security publications. Readers are encouraged to submit additional security acronyms and abbreviations, particularly for emerging technologies, for consideration as additions to the report.
 
NIST requests comments on Draft NIST IR 7581 by September 11, 2009. Please submit comments to securityacronyms@nist.gov.

July 31, 2009

SP 800-126

DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP)

NIST announces that Draft Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-126 also provides an overview of SCAP, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces.
 
NIST requests comments on draft SP 800-126 by August 31, 2009. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.

June 16, 2009

NIST IR-7502

DRAFT The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities

The second public draft of IR 7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities, is now available for public comment. This report proposes a specification for CCSS, a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores would be determined. Once CCSS is finalized and CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.

NIST requests comments on Draft NISTIR 7502 by July 17, 2009. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

May 5, 2009

SP 800-117

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP)

NIST announces that Draft Special Publication (SP) 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains how IT product and service vendors can adopt SCAP's capabilities within their offerings.
 
NIST requests comments on draft SP 800-117 by June 12, 2009. Please submit comments to 800-117comments@nist.gov with "Comments SP 800-117" in the subject line.

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

Apr. 21, 2009

NIST IR-7511 Rev. 1

DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements

Draft NIST Interagency Report (IR) 7511 Revision 1, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 1 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
If you have questions regarding this document, please send email to: IR7511comments@nist.gov.
 
Webmaster's Note: The first link "draft-nistir-7511_rev1.pdf" below is for NIST IR 7511 Revision 1 (posted April 21, 2009) and the second link "Draft-NISTIR-7511.pdf" is the original NIST IR 7511 (updated April 14, 2009).

Mar. 20, 2009

SP 800-16 Rev. 1

DRAFT Information Security Training Requirements: A Role- and Performance-Based Model

The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.

Mar. 6, 2009

NIST IR-7564

DRAFT Directions in Security Metrics Research

Draft NIST Interagency Report (IR) 7564, Directions in Security Metrics Research, is now available for public comment. This report provides an overview of the security metrics area and identifies possible avenues of research that could be pursued to advance the state of the art.
 
NIST requests that comments be submitted by electronic mail by March 27, 2009. Please send them to IR7564comments@nist.gov with "Comments IR 7564" in the subject line.

Feb. 27, 2009

SP 800-81 Rev. 1

DRAFT Secure Domain Name System (DNS) Deployment Guide

NIST has drafted a new version of the document “Secure Domain Name System (DNS) Deployment Guide (SP 800-81)”. This document, after a review and comment cycle will be published as NIST SP 800-81r1. There will be two rounds of public comments and this is our posting for the first one. Federal agencies and private organizations as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to SecureDNS@nist.gov before March 31, 2009. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
 
Reviewers of the draft revised Guidelines should note the following differences and additions:
  (1) Updated Recommendations for all cryptographic operations relating to digital signing of DNS records, verification of the signatures, Zone Transfer, Dynamic Updates, key Management and Authenticated Denial of Existence.
  (2) The additional IETF RFC documents that have formed the basis for the updated recommendations include: DNSSEC Operational Practices (RFC 4641), Automated Updates for DNS Security (DNSSEC) Trust Anchors (RFC 5011), DNS Security (DNSSEC) Hashed Authenticated Denial of Existence (RFC 5155) and HMAC SHA TSIG Algorithm Identifiers (RFC 4635).
  (3) The FIPS standards and NIST guidelines incorporated into the updated recommendations include: The Keyed-Hash Message Authentication Code (HMAC) (FIPS 198-1), Digital Signature Standard (FIPS 186-3) and Recommendations for Key Management (SP 800-57P1 & SP 800-57P3).
  (4) Illustration of Secure configuration examples using DNS Software offering NSD, in addition to BIND.

Feb. 27, 2009

NIST IR-7517

DRAFT The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring System (CMSS), is now available for public comment. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. NISTIR 7517 also provides examples of how CMSS measures and scores would be determined. Once CMSS is finalized, CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please submit comments to IR7517comments@nist.gov with "Comments IR 7517" in the subject line.

Jan. 13, 2009

SP 800-122

DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

NIST announces that draft Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), is now available for public comment. SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling.
 
NIST requests comments on draft SP 800-122 by March 13, 2009. Please submit comments to 800-122comments@nist.gov with "Comments SP 800-122" in the subject line.

Jan. 13, 2009

NIST IR-7497

DRAFT Security Architecture Design Process for Health Information Exchanges (HIEs)

NISTIR 7497, Draft Security Architecture Design Process for Health Information Exchanges (HIEs), is intended to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that applies them specifically to the HIE domain. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.
 
Please submit your comments to draft-nistir7497-comments@nist.gov. The comment period for draft NIST IR 7497 closes on Friday March 13, 2009.

Dec. 22, 2008

SP 800-120

DRAFT Recommendation for EAP Methods Used in Wireless Network Access Authentication

NIST announces the release of draft Special Publication 800-120, Recommendation for EAP Methods Used in Wireless Network Access Authentication. This Recommendation specifies security requirements for authentication methods with key establishment supported by the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal networks. Please submit comments to 800-120comments@nist.gov with "Comments on SP 800-120" in the subject line. The comment period closes on January 30, 2009.

Dec. 12, 2008

SP 800-63 Rev. 1

DRAFT Electronic Authentication Guideline

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for a second public comment period. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. The bulk of the changes since the previously posted draft of SP 800-63-1 concern assertion technologies and Kerberos. Comments will be accepted until January 30, 2009. Comments should be forwarded via email to eauth-comments@nist.gov.

Dec. 10, 2008

SP 800-56 B

DRAFT Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography

NIST requests comments on Draft SP 800-56B, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. This Recommendation provides the specifications of asymmetric-based key agreement and key transport schemes that are based on the Rivest Shamir Adleman (RSA) algorithm. Please provide comments to ebarker@nist.gov by February 12, 2009, with “Comments on SP 800-56B” in the subject line.

Nov 12, 2008

SP 800-102

DRAFT Recommendation for Digital Signature Timeliness

NIST requests comments on SP 800-102, Recommendation for Digital Signature Timeliness. This Recommendation provides methods for obtaining assurance about the time that a message was signed. The concepts in this Recommendation were presented in the original public comment draft of FIPS 186,3, The Digital Signature Standard. Please provide comments to ebarker@nist.gov by December 19, 2008, with “Comments on SP 800-102” in the subject line.

Oct 24, 2008

SP 800-57 Part 3

DRAFT Recommendation for Key Management, Part 3 Application-Specific Key Management Guidance

NIST announces the release of a draft of Part 3 of Special Publication 800-57, Recommendation for Key Management: Application-Specific Key Management Guidance. This Recommendation provides guidance when using the cryptographic features of current systems. It is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in the normal use of the application. Recommendations are given for a select set of applications, namely: PKI, IPsec, TLS, S/MIME, Kerberos, OTAR, DNSSEC and Encrypted File Systems. Other topics will be added at a later time, and commenters are invited to suggest such topics. Please submit comments to part3-sp800-57-comments@nist.gov with "Comments on Draft 800-57, Part 3" in the subject line. The comment period closes on January 16th, 2009.
 
To view the original SP 800-57 Part 1 and 2 document, please go to the Special Publications page.

Sep 29, 2008

SP 800-82

DRAFT Guide to Industrial Control Systems (ICS) Security

The final public draft of SP 800-82 is available for public comment. It provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the second public draft, which was released in 2007. NIST requests comments on NIST SP 800-82 by November 30, 2008. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

Sept. 19, 2008

SP 800-70 Rev. 1

DRAFT National Checklist Program for IT Products--Guidelines for Checklist Users and Developers

Draft Special Publication 800-70 Revision 1, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 1 replaces the original version of the document, which was released in 2005.

NIST requests comments on draft SP 800-70 Revision 1 by October 31, 2008. Please submit comments to 800-70comments@nist.gov with "Comments SP 800-70" in the subject line.

August 19, 2008

SP 800-37 Rev. 1

DRAFT Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach

NIST, in cooperation with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), announces the completion of an interagency project to develop a common process to authorize federal information systems for operation. The initial public draft of NIST Special Publication 800-37, Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, is now available for a six-week public comment period. The publication contains the proposed new security authorization process for the federal government (currently commonly referred to as certification and accreditation, or C&A). The new process is consistent with the requirements of the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130, Appendix III, promotes the concept of near real-time risk management based on continuous monitoring of federal information systems, and more closely couples information security requirements to the Federal Enterprise Architecture (FEA) and System Development Life Cycle (SDLC). The historic nature of the partnership among the Civil, Defense, and Intelligence Communities and the rapid convergence of information security standards and guidelines for the federal government will have a significant impact on the federal government's ability to protect its information systems and networks. The convergence of security standards and guidelines is forging ahead with the development of a series of new CNSS policies and instructions that closely parallel the NIST security standards and guidelines developed in response to FISMA. The CNSS policies and instructions which address the specific areas of security categorization, security control specification, security control assessment, risk management, and security authorization, coupled with the current NIST publications will provide a more unified information security framework for the federal government and its contracting base. The unified approach to information security is brought together in part by the update to NIST Special Publication 800-37, Revision 1, which provides a common security authorization process and references the NIST and CNSS publications for the national security and non national security communities, respectively. The convergence activities mentioned above along with tighter integration of security requirements into the FEA and SDLC processes will promote more consistent and cost-effective information security and trusted information sharing across the federal government. Comments on the IPD of SP 800-37, Revision 1 should be provided by September 30, 2008 and forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

July 9, 2008

SP 800-41 Rev. 1

DRAFT Guidelines on Firewalls and Firewall Policy

Comment period has been closed. Final document is slated to be released late June to early / mid July 2009.

April 3, 2008

SP 800-39

DRAFT Managing Risk from Information Systems: An Organizational Perspective

NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. EComments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

Jul 13, 2007

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules

Draft FIPS 140-3 is the proposed revision of FIPS 140-2. The draft specifies five security levels instead of the four found in FIPS 140-2; has a separate section for software security; requires mitigation of non-invasive attacks when validating at higher security levels; introduces the concept of public security parameters; allows the deference of certain self-tests until specific conditions are met; and strengthens the requirements on user authentication and integrity testing. Please submit electronic comments to: FIPS140-3@nist.gov, with "Comments on Draft 140-3" in the subject line. ADDRESSES: Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive--Stop 8930. DATES: Comments must be received on or before October 11, 2007.

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.