Publications

July 9, 2008

SP 800-121

DRAFT Guide to Bluetooth Security

Draft SP 800-121, Guide to Bluetooth Security, describes the security capabilities of Bluetooth technologies and gives recommendations to organizations employing Bluetooth technologies on securing them effectively. Much of SP 800-121 was originally included in draft NIST SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth, but based on public comments, the Bluetooth material has been removed from SP 800-48 and placed in its own publication. NIST requests comments on draft SP 800-121 by August 22, 2008. Please submit comments to 800-121comments@nist.gov with "Comments SP 800-121" in the subject line.

Draft-SP800-121.pdf (3,887 KB)
Draft-SP800-121_pdf.zip (1,580 KB)

July 9, 2008

SP 800-107

DRAFT Recommendation for Applications Using Approved Hash Algorithms

NIST announces the release of the 2nd draft Special Publication 800-107, Recommendation for Applications Using Approved Hash Algorithms. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3, such as digital signature applications, Keyed-hash Message Authentication Codes (HMACs) and Hash-based Key Derivation Functions (HKDFs). Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-107" in the subject line. The comment period closes on October 9, 2008.

draft-SP800-107-July2008.pdf (174 KB)

July 9, 2008

SP 800-41 Rev. 1

DRAFT Guidelines on Firewalls and Firewall Policy

Draft SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy, provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based, and personal firewalls. SP 800-41 Revision 1 updates the original publication, which was released in 2002. NIST requests comments on draft SP 800-41 Revision 1 by August 15, 2008. Please submit comments to 800-41comments@nist.gov with "Comments SP 800-41" in the subject line.

Draft-SP800-41rev1.pdf (495 KB)

July 7, 2008

SP 800-124

DRAFT Guidelines on Cell Phone and PDA Security

Draft SP 800-124, Guidelines on Cell Phone and PDA Security, is available for public comment. It provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights for making informed information technology security decisions regarding their treatment. SP 800-124 gives details about the threats, technology risks, and safeguards for these devices. NIST requests comments on draft SP 800-124 by August 8, 2008. Please submit comments to 800-124comments@nist.gov with "Comments SP 800-124" in the subject line.

Draft-SP800-124.pdf (301 KB)

May 30, 2008

NIST IR-7502

DRAFT The Common Configuration Scoring System (CCSS)

Draft NIST Interagency Report (IR) 7502, The Common Configuration Scoring System (CCSS), is now available for public comment. This document proposes a specification for CCSS, a set of standardized measures for the characteristics and impacts of software security configuration issues. NISTIR 7502 also provides several examples of how CCSS measures and scores would be determined for a diverse set of configuration issues. Once CCSS is finalized, CCSS data can assist organizations in making sound decisions as to how configuration issues should be addressed and can provide data to be used in quantitative assessments of host security.

NIST requests comments on Draft NISTIR 7502 by July 3, 2008. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

Draft-NISTIR-7502.pdf

May 6, 2008

SP 800-123

DRAFT Guide to General Server Security

Draft SP 800-123, Guide to General Server Security, is available for public comment. This document is intended to assist organizations in installing, configuring, and maintaining secure servers. SP 800-123 makes recommendations for securing a server's operating system and server software, as well as maintaining the server's secure configuration through application of appropriate patches and upgrades, security testing, log monitoring, and backups of data and operating system files. The document addresses common servers that use general operating systems and are deployed in both outward-facing and inward-facing locations. NIST requests comments on Draft SP 800-123 by June 13, 2008. Please submit comments to 800-123comments@nist.gov with "Comments SP 800-123" in the subject line.

Draft-SP800-123.pdf (326 KB)

May 1, 2008

SP 800-108

DRAFT Recommendation for Key Derivation Using Pseudorandom Functions

NIST announces the release of draft Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions. This Recommendation specifies techniques for key derivation from a secret key using pseudorandom functions (PRF). Please submit comments to draft-SP800-108-comment@nist.gov with "Comments on SP800-108" in the subject line. The comment period closes on June 28, 2008.

Draft_SP-800-108_April-2008.pdf (166 KB)

May 1, 2008

SP 800-66 Rev 1

DRAFT An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.

Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008. Comments should be submitted via email to 800-66comments@nist.gov , or forwarded to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-66 Rev. 1, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, MD. 20899-8930.

Draft_SP800-66-Rev1.pdf (725 KB)

April 3, 2008

SP 800-39

DRAFT Managing Risk from Information Systems: An Organizational Perspective

NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. EComments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

SP800-39-spd-sz.pdf (634 KB)

April 1, 2008

SP 800-116

DRAFT A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. This draft includes recommendations for increasing the use of asymmetric key architecture and credential validation. Federal agencies and private organizations as well as individuals are invited to review the draft document and submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on May 12, 2008.

Draft-SP800-116.pdf (556 KB)
Comments-FormFor-Draft-SP800-116.xls

March 14, 2008

SP 800-64 Rev. 2

DRAFT Security Considerations in the System Development Life Cycle

The purpose of this draft revision is to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This should result in more cost effective, risk appropriate security control identification, development and testing.
 
Comments on Draft SP 800-64 Revision 2 will be accepted through April 28, 2008. Comments should be submitted via email to 800-64comments@nist.gov , or forwarded to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-64 Rev. 2, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, MD. 20899-8930.

draft-SP800-64-Revision2.pdf (900 KB)

Mar. 7, 2008

SP 800-73 -2

DRAFT Interfaces for Personal Identity Verification (4 parts):
1- End-Point PIV Card Application Namespace, Data Model and Representation
2- End-Point PIV Card Application Interface
3- End-Point PIV Client Application Programming Interface
4- The PIV Transitional Data Model and Interfaces

NIST has posted a second draft of SP 800-73-2 for public comments. This draft incorporates some comments and suggestions that were received after the first public comment period had closed (see 3). The changes since the first draft include: 1) relaxation of the Global PIN security status limitations, 2) incorporation of an optional Global and PIV PIN discovery object, 3) addition of a discovery object for the PIV card application, 4) elimination of the previously proposed optional U-CHUID data object, and 5) resolutions of the first draft public comments. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on 2nd Public Draft SP 800-73-2" in the subject line. The comment period closes at 5:00 EST (US and Canada) on April 18th 2008. (NOTE: the due date has been extended from April 4 to the 18th.)

2nddraft_SP800-73-2_part1_DataModel-032008.pdf (459 kB)
2nddraft_SP800-73-2_part2_EndPointPIVCardApplicationCardCommandInterface-032008.pdf (282 KB)
2nddraft_SP800-73-2_part3_EndpointClientAPI-032008.pdf (177 KB)
2nddraft_SP800-73-2_part4_TransitionalSpec-032008.pdf (172 KB)
Comments-form-on-NIST_SP800-73-2.xls (26 KB)
2nddraft-SP800-73-2.zip (694 KB)
TrackChanges_Part1_SP800-73-2.pdf (322 KB)
TrackChanges_Part2_SP800-73-2.pdf (214 KB)
TrackChanges_Part3_SP800-73-2.pdf (148 KB)

Feb 26, 2008

SP 800-63 -1

DRAFT Electronic Authentication Guidelines

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for public comment. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. Comments will be accepted until April 10, 2008. Comments should be forwarded via email to eauth-comments@nist.gov

Draft_SP-800-63-1_2008Feb20.pdf (726 KB)

Dec 28, 2007

FIPS-186 -3 Appendices

DRAFT RSA Strong Primes - Digital Signature Standard (DSS)

NIST requests comments on revised text for FIPS 186-3 related to the generation of RSA key pairs. Please provide comments by February 1, 2008 to ebarker@nist.gov.

fips186-3_Strong-Prime-Sections_Dec2007.pdf

Nov 13, 2007

SP 800-115

DRAFT Technical Guide to Information Security Testing

Draft SP 800-115, Technical Guide to Information Security Testing, is available for public comment. It seeks to assist organizations in planning and conducting technical information security testing, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security testing processes and procedures. SP 800-115 provides an overview of key elements of security testing, with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use. Draft SP 800-115 is intended to replace SP 800-42, Guideline on Network Security Testing, which was released in 2003. NIST requests comments on Draft SP 800-115 by January 4, 2008. Please submit comments to 800-115comments@nist.gov with "Comments SP 800-115" in the subject line.

Draft-SP800-115.pdf (694 KB)
Draft-SP800-115_pdf.zip (468 KB)

Nov 8, 2007

SP 800-60 Rev. 1

DRAFT Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories Volume 2: Appendices

NIST Draft SP 800-60 Revision 1, Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories and Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, is now available for public comment at http://csrc.nist.gov/publications/PubsDrafts.html. The draft revision to Volume I contains the basic guidelines for mapping types of information and information systems to security categories. The appendices contained in draft Volume II include security categorization recommendations and rationale for mission-based and management and support information types. While agencies are encouraged to review and comment on both volumes, special attention is requested on the provisional impact level recommendations found in Volume II for those information types most commonly used by their organization and within their information systems. Comments on Draft SP 800-60 Revision 1 (Volumes I and II) will be accepted through December 10, 2007. Comments should be submitted via email to sp800-60-rev2-comments@nist.gov, or forwarded to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-60 Revision 1, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, MD 20899-8930.

draft-SP800-60_Volume1-Revision1.pdf (1,566 KB)
draft-SP800-60_Volume1-Revision1.zip (826 KB)
draft-SP800-60_Volume2-Revision1.pdf (8,523 KB)
draft-SP800-60_Volume2-Revision1.zip (4,172 KB)

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

NISTIR_7328-ipdraft.pdf (327 KB)

Sep 28, 2007

SP 800-110

DRAFT Information System Security Reference Data Model

NIST is pleased to announce the release of NIST Draft Special Publication 800-110, Information System Security Reference Data Model. The Information System Security Reference Data Model and its associated XML taxonomy and schema are intended to: •Serve as a guideline for software tool developers and federal agencies that wish to develop an automated process for managing an information security program; and •Enable greater interoperability between information system security tools, resulting in more practical and cost-effective information security program management. Comments on draft 800-110 will be accepted through October 31, 2007. Comments should be submitted via email to 800-110comments@nist.gov, or forwarded to the Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-110, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930

Draft-SP800-110.pdf (247 KB)

Sep 28, 2007

SP 800-82

DRAFT Guide to Industrial Control Systems (ICS) Security

The second public draft of SP 800-82 is available for public comment. It provides guidance on how to secure ICS, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the first public draft, which was released in 2006. NIST requests comments on NIST SP 800-82 by November 30, 2007. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

2nd-Draft-SP800-82-clean.pdf (2,245 KB)
2nd-Draft-SP800-82-markup.pdf (2,001 KB)
2nd-Draft-SP800-82-clean.pdf.zip (1,739 KB)
2nd-Draft-SP800-82-markup.pdf.zip (1,701 KB)

Aug 2, 2007

SP 800-48 Rev. 1

DRAFT Wireless Network Security for IEEE 802.11a/b/g and Bluetooth

SP 800-48 Revision 1 provides an overview of wireless networking technologies and gives detailed information on two standards commonly used in office environments and by mobile workforces: Institute of Electrical and Electronics Engineers (IEEE) 802.11a/b/g and IEEE 802.15.1, better known as Bluetooth. The publication seeks to assist organizations in reducing the risks associated with these forms of wireless networking. SP 800-48 Revision 1 updates the original version of SP 800-48, which was released in November 2002. SP 800-48 Revision 1 complements, and does not replace, SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. People seeking information on IEEE 802.11i should consult SP 800-97. NIST requests comments on NIST SP 800-48 Revision 1 by September 14, 2007. Please submit comments to 800-48comments@nist.gov with "Comments SP 800-48" in the subject line.

Draft-SP800-48r1.pdf (4.33 MB)
Draft-SP800-48r1_pdf.zip (2.21 MB)

Jul 18, 2007

SP 800-106

DRAFT Randomized Hashing Digital Signatures

NIST announces the release of draft Special Publication 800-106, Randomized Hashing Digital Signatures. This Recommendation provides a technique to randomize the input messages to hash functions prior to the generation of digital signatures to strengthen security of the digital signatures. Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-106" in the subject line. The comment period closes on September 17, 2007.

Draft-SP800-106.pdf (318 kB)

Jul 13, 2007

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules

Draft FIPS 140-3 is the proposed revision of FIPS 140-2. The draft specifies five security levels instead of the four found in FIPS 140-2; has a separate section for software security; requires mitigation of non-invasive attacks when validating at higher security levels; introduces the concept of public security parameters; allows the deference of certain self-tests until specific conditions are met; and strengthens the requirements on user authentication and integrity testing. Please submit electronic comments to: FIPS140-3@nist.gov, with "Comments on Draft 140-3" in the subject line. ADDRESSES: Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive--Stop 8930. DATES: Comments must be received on or before October 11, 2007.

fips1403Draft.pdf (1,280 kB)

Jun 12, 2007

FIPS-198 -1

DRAFT The Keyed-Hash Message Authentication Code (HMAC)

9 Draft FIPS 198-1 is the proposed revision of FIPS 198. The draft specifies a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions and shared secret keys. Security issues related to the HMAC algorithm, and its applications and truncation technique are addressed in NIST Special Publication 800-57, Recommendation for Key Management, and draft NIST Special Publication 800-107, Recommendation for Using Approved Hash Algorithms. Draft NIST Special Publication 800-107 will be available in the near future. Please submit comments to proposed198-1@nist.gov with "Comments on Draft 198-1". The comment period closes on September 10, 2007.

draft_FIPS-198-1_June-08-2007.pdf (66 kB)

Jun 12, 2007

FIPS-180 -3

DRAFT Secure Hash Standard (SHS)

Draft FIPS 180-3 is the proposed revision of FIPS 180-2. The draft specifies five secure hash algorithms (SHAs) called SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 which are used to condense input messages to fixed-length messages, called message digests. These algorithms produce 160, 256, 384, and 512-bit message digests, respectively. The security strengths of these hash algorithms are specified in NIST Special Publications (SP) 800-57, Recommendation for Key Management. And, recommendation for using these hash algorithms will be discussed in draft NIST SP 800-107, Recommendation for Using Approved Hash Algorithms. Draft NIST Special Publication 800-107 will be available in the near future. Please submit comments to Proposed180-3@nist.gov with "Comments on Draft 180-3" in the subject line. The comment period closes on September 10, 2007.

draft_fips-180-3_June-08-2007.pdf (190 kB)

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.

sp800-103-draft.pdf (699 kB)
draft-sp800-103.zip (558 kB)

May 4, 2006

SP 800-80

DRAFT Guide for Developing Performance Metrics for Information Security

NIST's Computer Security Division has completed the initial public draft of Special Publication 800-80, Guide for Developing Performance Metrics for Information Security. This guide is intended to assist organizations in developing metrics for an information security program. The methodology links information security program performance to agency performance. It leverages agency-level strategic planning processes and uses security controls from NIST SP 800-53, Recommended Security Controls for Federal Information Systems, to characterize security performance. To facilitate the development and implementation of information security performance metrics, the guide provides templates, including at least one candidate metric for each of the security control families described in NIST SP 800-53. Comment period is NOW closed.

draft-sp800-80-ipd.pdf (762 kB)

Mar 13, 2006

FIPS-186 -3

DRAFT Digital Signature Standard (DSS)

Draft FIPS 186-3 is the proposed revision of FIPS 186-2. The draft defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This draft includes requirements for obtaining the assurances necessary for valid digital signatures. Methods for obtaining these assurances are provided in Draft NIST Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications. (see write-up for draft SP 800-89 below) Please submit comments to Elaine Barker at NIST with "Comments on Draft 186-3" in the subject line. The comment period closes on June 12, 2006 - Comment period is NOW closed.

See note above dated December 28, 2007 regarding RSA Strong Primes.

Draft-FIPS-186-3%20_March2006.pdf (474 kB)