NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

News & Events

News

Draft Special Publication 800-123 is now available
May 6, 2008
Draft SP 800-123, Guide to General Server Security, is available for public comment. This document is intended to assist organizations in installing, configuring, and maintaining secure servers. SP 800-123 makes recommendations for securing a server's operating system and server software, as well as maintaining the server's secure configuration through application of appropriate patches and upgrades, security testing, log monitoring, and backups of data and operating system files. The document addresses common servers that use general operating systems and are deployed in both outward-facing and inward-facing locations. Comments need to be recieved by June 13, 2008. For more information regarding this draft, please visit CSRC Drafts page - link provided above.

Draft Special Publication 800-66 Revision is now available for Public Comment
May 1, 2008
NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008. Go to Drafts page to learn more about this draft.

DRAFT Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions
May 1, 2008
NIST announces the release of Draft Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions. This Recommendation specifies techniques for key derivation from a secret key using pseudorandom functions (PRF). . The comment period closes on June 28, 2008. To learn more about this draft, please visit the CSRC Drafts page.

FY 2007 Annual Compuater Security Division Report NIST Interagency Report (IR) 7442 Announcement
May 1, 2008
The NIST Computer Security Division is proud to announce the release of NIST Interagency Report (IR) 7442: Computer Security Division - 2007 Annual Report. This publication highlights the diverse research agenda that enabled the Computer Security Division to successfully respond to numerous challenges and opportunities in fulfilling its mission to provide standards and technology that protects information systems against threats to the confidentiality, integrity, and availability of information and services.

Special Publication 800-87 Revision 1 Released
April 30, 2008
NIST is pleased to announce Special Publication 800-87 (SP 800-87) Codes for the Identification of Federal and Federally-Assisted Organizations, Revision 1 - 2008. SP 800-87 Revision 1 - 2008 provides the organizational codes necessary to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique (CHUID). Appendix A of SP 800-87 Revision 1 - 2008 lists the agency code updates incorporated in this revision.

PIV PACS Integration Workshop
April 8, 2008

The National Institute of Standards and Technology (NIST), will hold a public Personal Identity Verification (PIV) Physical Access Control Systems (PACS) Integration workshop on Thursday, May 1, 2008 at the NIST campus in Gaithersburg, MD from 9:30am to 3:30pm. The purpose of the workshop is the exchange of information among the PACS implementers, Federal agencies, and NIST. NIST will provide a briefing on SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), followed by a question and answer session. NIST will facilitate 10 minute individual presentations through which interested individuals may present observations to the group. All material presented will be made public. Individuals desiring to present their observations must contact Ketan Mehta (mehta_ketan@nist.gov) via email and provide an abstract and a power point slides in advance. Workshop registration is required to gain entry to the NIST facilities. Please visit http://www.nist.gov/public_affairs/confpage/conflist.htm to register. The cost of registration is $50. Registration closes on April 28, 2008.

Update on Federal Desktop Core Configuration (FDCC)
April 3, 2008
At the Office of Management and Budget's (OMB) request, NIST is administering public comment for proposed settings changes to the Federal Desktop Core Configuration (FDCC).

Second DRAFT Special Publication 800-39 Managing Risk from Information Systems: An Organizational Perspective
April 3, 2008
NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

Draft Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems
April 1, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce a draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. This draft includes recommendations for increasing the use of asymmetric key architecture and credential validation. Federal agencies and private organizations as well as individuals are invited to review the draft document and submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on May 12, 2008.

NIST Advanced Network Technologies Division has released DRAFT NIST Special Publication 500-267, A Profile for IPv6
April 1, 2008:
NIST Advanced Network Technologies Division has released NIST Special Publication 500-267, A Profile for IPv6 in the U.S. Government - Version 1.0 (PDF), which is now available for public comment. This document is not part of the 800 Series Computer Security Division Publications developed specifically for standards and guidelines, including minimum requirements, for providing adequate information security for all federal agency operations and assets as stated in the Federal Information Security Management Act. Rather, the goal of the profile, and associated proposed testing program, is to provide the technical basis upon which long term USG IPv6 adoption plans and policies can be based. It should be noted that the profile is not intended to be applicable to near term uses (e.g., June 2008 requirements described in M-05-22 (http://www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf). Instead, as a forward looking strategic plan, the profiles recommendations are targeted for 2010 and beyond.

Comment Period for Draft SP 800-73-2 has been EXTENDED
March 21, 2008:
The public comment period for Draft SP 800-73-2 has been extended. Public comment are now due by April 18th 2008, 5:00 pm EST.

Track Changes Now Available for Draft Special Publication 800-73-2 (Parts 1-3)
March 18, 2008
The following documents contain the tracked changes from the first to second draft SP800-73-2. Editorial and formatting changes are not tracked. Out of the 4 parts for this document, ONLY Part 4 had NO changes made to it. Please go to the Drafts page to view Part 1, Part 2, and Part 3 track changes.

DRAFT SP 800-64 Rev. 2 Security Considerations in the System Development Life Cycle
March 14, 2008
NIST Draft SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, is now available for public comment from CSRC Drafts page. The purpose of this draft revision is to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This should result in more cost effective, risk appropriate security control identification, development and testing.
 
Comments on Draft SP 800-64 Revision 2 will be accepted through April 28, 2008. Please visit drafts page (link provided above) to learn where to submit comments to.

Second Draft of Special Publication 800-73-2, Interfaces for Personal Identity Verification
March 7, 2008
NIST has posted a second draft of SP 800-73-2 for public comments. This draft incorporates some comments and suggestions that were received after the first public comment period had closed (see 3). The changes since the first draft include: 1) relaxation of the Global PIN security status limitations, 2) incorporation of an optional Global and PIV PIN discovery object, 3) addition of a discovery object for the PIV card application, 4) elimination of the previously proposed optional U-CHUID data object, and 5) resolutions of the first draft public comments. Please go to the DRAFTS page to view the Second Public Draft and to learn more about this draft along with where to forward comments to. A comment template form is also provided. Comments period closes on April 4th 2008.

NIST announces the final release of SP 800-61 Revision 1, Computer Security Incident Handling Guide, and SP 800-28 Version 2, Guidelines on Active Content and Mobile Code.
March 7, 2008
SP 800-61 Revision 1, Computer Security Incident Handling Guide, seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. SP 800-61 Revision 1 updates the original publication, which was released in 2004.
 
SP 800-28 Version 2, Guidelines on Active Content and Mobile Code, provides an overview of active content and mobile code technologies in use today and offers insights for making informed IT security decisions on their application and treatment. Active content refers to electronic documents that contain embedded software components, including mobile code; examples of mobile code are JavaScript, VBScript, Java applets, and ActiveX controls. The publication gives details about the active content and mobile code threats, technology risks, and safeguards for end user systems. SP 800-28 Version 2 is a new version of SP 800-28, which was released in 2001.

Additional Information on OMB Memorandum M-07-16
March 4, 2008
The Office of Management and Budget (OMB) Memorandum M-07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information", contains a requirement for logging and verifying sensitive database extracts. A frequently asked questions (FAQ) document that provides additional information on this requirement is now available.
 
General comments and questions on the FAQ and the database extract requirement may be addressed to John Barkhamer of OMB at John_W._Barkhamer@omb.eop.gov. Technical comments and questions may be addressed to dataextractfaq@nist.gov.

DRAFT Draft SP 800-63 Revision 1: E-Authentication Guideline Special Publication 800-63 Revision 1:
February 26, 2008
Draft SP 800-63-1 E-Authentication Guideline is available for public comment. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. Comments will be accepted until April 10, 2008. Please visit drafts page to learn more about this draft document and where to forward comments to.

DRAFT Special Publication 800-79-1
February 22, 2008
NIST has drafted a new version of the document “Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations (SP 800-79).” The revised document is titled “Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI’s)”. This document, after a review and comment period, will be published as NIST SP 800-79-1. Federal agencies and private organizations as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVaccreditation@nist.gov before March 30, 2008. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. To learn more about this draft document, please visit the DRAFT PUBLICATIONS page for more details.

NIST IR 7275 Revision 3
February 1, 2008
NIST announces the release of NIST Interagency Report (NISTIR) 7275 Revision 3, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. This report describes XCCDF, which is a standardized Extensible Markup Language (XML) format that can be used to hold structured collections of security configuration rules for a set of target systems. The XCCDF specification is designed to provide automated testing and scoring that can support FISMA compliance and other efforts. NISTIR 7275 Revision 3 specifies the data model and XML representation for version 1.1.4 of XCCDF; the previous revision of NISTIR 7275 addressed version 1.1.3 of XCCDF.

Free Federal Desktop Core Configuration (FDCC) Implementers Workshop
January 9, 2008
On January 24, 2008, there will be a Free Federal Desktop Core Configuration (FDCC) Implementers Workshop to be held at NIST. Workshop will address technical aspects of FDCC and corresponding Security Content Automation Protocol (SCAP) updates. Additional information relating to the workshop can be found at: http://www.nist.gov:80/public_affairs/confpage/080124.htm .