NIST, Computer Security Division, Computer Security Resource Center
News & Events
News -- 2008
NIST Announces the release of Special Publication 800-55 Revision 1
July 21, 2008
NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.
NIST announces the public comment release of the following 3 documents:
-
Special Publication (SP) 800-121, Guide to Bluetooth Security,
-
SP 800-107, Recommendation for Applications Using Approved Hash Algorithms, and
-
SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy.
July 9, 2008
Draft SP 800-121, Guide to Bluetooth Security, describes the security capabilities of Bluetooth technologies and gives recommendations to organizations employing Bluetooth technologies on securing them effectively. Much of SP 800-121 was originally included in draft NIST SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth, but based on public comments, the Bluetooth material has been removed from SP 800-48 and placed in its own publication. NIST requests comments on draft SP 800-121 by August 22, 2008. Please submit comments to 800-121comments@nist.gov with "Comments SP 800-121" in the subject line.
The release of the 2nd draft Special Publication 800-107,
Recommendation for Applications Using Approved Hash Algorithms. This document
provides security guidelines for achieving the required or desired security
strengths when using cryptographic applications that employ the approved
cryptographic hash functions specified in Federal Information Processing
Standard (FIPS) 180-3, such as digital signature applications, Keyed-hash
Message Authentication Codes (HMACs) and Hash-based Key Derivation Functions
(HKDFs). Please submit comments to quynh.dang@nist.gov with "Comments on Draft
800-107" in the subject line. The comment period closes on October 9, 2008.
Draft SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy, provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based, and personal firewalls. SP 800-41 Revision 1 updates the original publication, which was released in 2002. NIST requests comments on draft SP 800-41 Revision 1 by August 15, 2008. Please submit comments to 800-41comments@nist.gov with "Comments SP 800-41" in the subject line.
NIST announces the release of two publications: Special Publication (SP) 800-113, Guide to SSL VPNs, and draft SP 800-124, Guidelines on Cell Phone and PDA Security
July 7, 2008
SP 800-113, Guide to SSL VPNs, seeks to assist organizations in understanding Secure Sockets Layer (SSL) virtual private network (VPN) technologies. The publication also makes recommendations for designing, implementing, configuring, securing, monitoring, and maintaining SSL VPN solutions. SP 800-113 provides a phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments. It also includes a comparison with other similar technologies such as IPsec VPNs and other VPN solutions.
Draft SP 800-124, Guidelines on Cell Phone and PDA Security, is available for public comment. It provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights for making informed information technology security decisions regarding their treatment. SP 800-124 gives details about the threats, technology risks, and safeguards for these devices. NIST requests comments on draft SP 800-124 by August 8, 2008. Please submit comments to 800-124comments@nist.gov with "Comments SP 800-124" in the subject line.
Release of 3 Special Publications (SP): SP 800-53A, SP 800-67 (updated), and SP 800-79-1
June 30, 2008
1. NIST announces the release of Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This publication provides comprehensive assessment procedures for the security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Assessment cases that can be used by federal agencies to supplement the assessment procedures are described in Special Publication 800-53A, Appendix J. The assessment cases are being developed by an interagency task force as part of the Assessment Case Development Project and will be posted on the NIST website at http://csrc.nist.gov/sec-cert O/A July 25, 2008.
2. NIST Special Publication 800-67 Version 1.1 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher has been updated. Appendix E explains what has been updated in this document.
3. NIST is pleased to announce Special Publication 800-79-1, Guidelines for the
Accreditation of Personal Identity Verification Card Issuers. This is a substantial improvement over SP 800-79 that takes into account: (a) the emergent business models (in-house, leased, shared etc) for Personal Identity Card Issuers (PCI), (b) lessons learnt in past accreditations and (c) the directives in OMB memorandums. The most significant change is the replacement of “Attributes” with an objective set of PCI controls and an assessment and accreditation methodology that assess the capability and reliability of a PCI based on these controls. Specifically the accreditation methodology consists of the following steps: (a) Derivation of PCI controls based on requirements in FIPS 201-1 and supporting documents, OMB Memorandums etc. (b) Providing a context for PCI controls by identifying a set of hierarchical concepts such as PCI Accreditation Topics and PCI Accreditation Focus Areas (c) Development of Assessment methods appropriate for each PCI control that will assess conformance to those underlying requirements and (d) guidance for evaluating the results of assessments in order to arrive at an accreditation decision.
Request for Public Comment on XTS - AES
June 5, 2008
The P1619 Task Group of the Security in Storage Working Group (SISWG) of the Institute of Electrical and Electronics Engineers, Inc. (IEEE) has submitted the XTS-AES algorithm (XTS, for short) to NIST as an encryption mode of operation of the Advanced Encryption Standard (AES) block cipher. Although XTS does not provide authentication in order to avoid expansion of the data, it is designed to provide some protection against malicious manipulation of the encrypted data. NIST is proposing approval of XTS for government use after a period of public comment.
Additional information is available in the Request for Public Comment on XTS.
Draft NIST Interagency Report (IR) 7502, The Common Configuration Scoring System (CCSS), is now available for public comment.
May 30, 2008
This document proposes a specification for CCSS, a set of standardized measures for the characteristics and impacts of software security configuration issues. NISTIR 7502 also provides several examples of how CCSS measures and scores would be determined for a diverse set of configuration issues. Once CCSS is finalized, CCSS data can assist organizations in making sound decisions as to how configuration issues should be addressed and can provide data to be used in quantitative assessments of host security. For more details on how to submit comments, please visit the Drafts page.
Draft Special Publication 800-123 is now available
May 6, 2008
Draft SP 800-123, Guide to General Server Security, is available for public comment. This document is intended to assist organizations in installing, configuring, and maintaining secure servers. SP 800-123 makes recommendations for securing a server's operating system and server software, as well as maintaining the server's secure configuration through application of appropriate patches and upgrades, security testing, log monitoring, and backups of data and operating system files. The document addresses common servers that use general operating systems and are deployed in both outward-facing and inward-facing locations. Comments need to be recieved by June 13, 2008. For more information regarding this draft, please visit CSRC Drafts page - link provided above.
Draft Special Publication 800-66 Revision is now available for Public Comment
May 1, 2008
NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.
Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008. Go to Drafts page to learn more about this draft.
DRAFT Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions
May 1, 2008
NIST announces the release of Draft Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions. This Recommendation specifies techniques for key derivation from a secret key using pseudorandom functions (PRF). . The comment period closes on June 28, 2008. To learn more about this draft, please visit the CSRC Drafts page.
FY 2007 Annual Compuater Security Division Report NIST Interagency Report (IR) 7442 Announcement
May 1, 2008
The NIST Computer Security Division is proud to announce the release of NIST Interagency Report (IR) 7442: Computer Security Division - 2007 Annual Report. This publication highlights the diverse research agenda that enabled the Computer Security Division to successfully respond to numerous challenges and opportunities in fulfilling its mission to provide standards and technology that protects information systems against threats to the confidentiality, integrity, and availability of information and services.
Special Publication 800-87 Revision 1 Released
April 30, 2008
NIST is pleased to announce Special Publication 800-87 (SP 800-87) Codes for the Identification of Federal and Federally-Assisted Organizations, Revision 1 - 2008. SP 800-87 Revision 1 - 2008 provides the organizational codes necessary to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique (CHUID). Appendix A of SP 800-87 Revision 1 - 2008 lists the agency code updates incorporated in this revision.
PIV PACS Integration Workshop
April 8, 2008
The National Institute of Standards and Technology (NIST), will hold a public Personal Identity Verification (PIV) Physical Access Control Systems (PACS) Integration workshop on Thursday, May 1, 2008 at the NIST campus in Gaithersburg, MD from 9:30am to 3:30pm. The purpose of the workshop is the exchange of information among the PACS implementers, Federal agencies, and NIST. NIST will provide a briefing on SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), followed by a question and answer session. NIST will facilitate 10 minute individual presentations through which interested individuals may present observations to the group. All material presented will be made public. Individuals desiring to present their observations must contact Ketan Mehta (mehta_ketan@nist.gov) via email and provide an abstract and a power point slides in advance. Workshop registration is required to gain entry to the NIST facilities. Please visit http://www.nist.gov/public_affairs/confpage/conflist.htm to register. The cost of registration is $50. Registration closes on April 28, 2008.
Update on Federal Desktop Core Configuration (FDCC)
April 3, 2008
At the Office of Management and Budget's (OMB) request, NIST is administering
public comment for proposed settings changes to the Federal Desktop Core
Configuration (FDCC).
Second DRAFT Special Publication 800-39 Managing Risk from Information Systems: An Organizational Perspective
April 3, 2008
NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .
Draft Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems
April 1, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce a draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. This draft includes recommendations for increasing the use of asymmetric key architecture and credential validation. Federal agencies and private organizations as well as individuals are invited to review the draft document and submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on May 12, 2008.
NIST Advanced Network Technologies Division has released DRAFT NIST Special Publication 500-267, A Profile for IPv6
April 1, 2008:
NIST Advanced Network Technologies Division has released NIST Special Publication 500-267, A Profile for IPv6 in the U.S. Government - Version 1.0 (PDF), which is now available for public comment.
This document is not part of the 800 Series Computer Security Division Publications developed specifically for standards and guidelines, including minimum requirements, for providing adequate information security for all federal agency operations and assets as stated in the Federal Information Security Management Act. Rather, the goal of the profile, and associated proposed testing program, is to provide the technical basis upon which long term USG IPv6 adoption plans and policies can be based. It should be noted that the profile is not intended to be applicable to near term uses (e.g., June 2008 requirements described in M-05-22 (http://www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf). Instead, as a forward looking strategic plan, the profiles recommendations are targeted for 2010 and beyond.
Comment Period for Draft SP 800-73-2 has been EXTENDED
March 21, 2008:
The public comment period for Draft SP 800-73-2 has been extended. Public comment are now due by April 18th 2008, 5:00 pm EST.
Track Changes Now Available for Draft Special Publication 800-73-2 (Parts 1-3)
March 18, 2008
The following documents contain the tracked changes from the first to second draft SP800-73-2. Editorial and formatting changes are not tracked. Out of the 4 parts for this document, ONLY Part 4 had NO changes made to it. Please go to the Drafts page to view Part 1, Part 2, and Part 3 track changes.
DRAFT SP 800-64 Rev. 2 Security Considerations in the System Development Life Cycle
March 14, 2008
NIST Draft SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, is now available for public comment from CSRC Drafts page. The purpose of this draft revision is to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This should result in more cost effective, risk appropriate security control identification, development and testing.
Comments on Draft SP 800-64 Revision 2 will be accepted through April 28, 2008. Please visit drafts page (link provided above) to learn where to submit comments to.
Second Draft of Special Publication 800-73-2, Interfaces for Personal Identity Verification
March 7, 2008
NIST has posted a second draft of SP 800-73-2 for public comments. This draft incorporates some comments and suggestions that were received after the first public comment period had closed (see 3). The changes since the first draft include: 1) relaxation of the Global PIN security status limitations, 2) incorporation of an optional Global and PIV PIN discovery object, 3) addition of a discovery object for the PIV card application, 4) elimination of the previously proposed optional U-CHUID data object, and 5) resolutions of the first draft public comments. Please go to the DRAFTS page to view the Second Public Draft and to learn more about this draft along with where to forward comments to. A comment template form is also provided. Comments period closes on April 4th 2008.
NIST announces the final release of SP 800-61 Revision 1, Computer Security Incident Handling Guide, and SP 800-28 Version 2, Guidelines on Active Content and Mobile Code.
March 7, 2008
SP 800-61 Revision 1, Computer Security Incident Handling Guide, seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. SP 800-61 Revision 1 updates the original publication, which was released in 2004.
SP 800-28 Version 2, Guidelines on Active Content and Mobile Code, provides an overview of active content and mobile code technologies in use today and offers insights for making informed IT security decisions on their application and treatment. Active content refers to electronic documents that contain embedded software components, including mobile code; examples of mobile code are JavaScript, VBScript, Java applets, and ActiveX controls. The publication gives details about the active content and mobile code threats, technology risks, and safeguards for end user systems. SP 800-28 Version 2 is a new version of SP 800-28, which was released in 2001.
Additional Information on OMB Memorandum M-07-16
March 4, 2008
The Office of Management and Budget (OMB) Memorandum M-07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information", contains a requirement for logging and verifying sensitive database extracts. A frequently asked questions (FAQ) document that provides additional information on this requirement is now available.
General comments and questions on the FAQ and the database extract requirement may be addressed to John Barkhamer of OMB at John_W._Barkhamer@omb.eop.gov. Technical comments and questions may be addressed to dataextractfaq@nist.gov.
DRAFT
Draft SP 800-63 Revision 1: E-Authentication Guideline Special Publication 800-63 Revision 1:
February 26, 2008
Draft SP 800-63-1 E-Authentication Guideline is available for public comment. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. Comments will be accepted until April 10, 2008. Please visit drafts page to learn more about this draft document and where to forward comments to.
DRAFT Special Publication 800-79-1
February 22, 2008
NIST has drafted a new version of the document “Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations (SP 800-79).” The revised document is titled “Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI’s)”. This document, after a review and comment period, will be published as NIST SP 800-79-1. Federal agencies and private organizations as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVaccreditation@nist.gov before March 30, 2008. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. To learn more about this draft document, please visit the DRAFT PUBLICATIONS page for more details.
NIST IR 7275 Revision 3
February 1, 2008
NIST announces the release of NIST Interagency Report (NISTIR) 7275 Revision 3,
Specification for the Extensible Configuration Checklist Description Format
(XCCDF) Version 1.1.4. This report describes XCCDF, which is a standardized
Extensible Markup Language (XML) format that can be used to hold structured
collections of security configuration rules for a set of target systems. The
XCCDF specification is designed to provide automated testing and scoring that
can support FISMA compliance and other efforts. NISTIR 7275 Revision 3 specifies
the data model and XML representation for version 1.1.4 of XCCDF; the previous
revision of NISTIR 7275 addressed version 1.1.3 of XCCDF.
Free Federal Desktop Core Configuration (FDCC) Implementers Workshop
January 9, 2008
On January 24, 2008, there will be a Free Federal Desktop Core Configuration (FDCC) Implementers Workshop to be held at NIST. Workshop will address technical aspects of FDCC and corresponding Security Content Automation Protocol (SCAP) updates. Additional information relating to the workshop can be found at: http://www.nist.gov:80/public_affairs/confpage/080124.htm .