NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:
Computer Security Division Documents Guide Click Here to download the "Guide to NIST Information Security Documents."

Updated: August 2009
Posted: December 2009

*NOTE: Categories in the Families, Topic Clusters, and Legal Requirements listings are from the "Guide to NIST Information Security Documents."

draft Publications

This page consists of draft NIST Publications (FIPS, Special Publications) that are either open for public review and to offer comments, or the document is waiting to be approved as a final document by the Secretary of Commerce.

Drafts

Feb. 5, 2013

SP 800-53 Rev. 4

DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Final Public Draft)

NIST announces the release of Draft Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft). Special Publication 800-53, Revision 4, represents the culmination of a two-year initiative to update the guidance for the selection and specification of security controls for federal information systems and organizations. This update, the most comprehensive since the initial publication of the controls catalog in 2005, was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, and the Committee on National Security Systems. NIST received and responded to several thousand comments during the extensive public review and comment period.
 
The proposed changes included in Special Publication 800-53, Revision 4, support the federal information security strategy of “Build It Right, Then Continuously Monitor” and are directly linked to the current threat space (i.e., capabilities, intentions, and targeting of adversaries) as well as the attack data collected and analyzed over a substantial period of time. In this update, there is renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services—especially in those systems, components, and services supporting critical organizational missions and business operations (including, for example, critical infrastructure applications). In particular, the major changes in Revision 4 include:
 
   • New security controls and control enhancements addressing the advanced persistent threat (APT), supply chain, insider threat, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance;
 
   • Clarification of security control language;
 
   • New tailoring guidance including the fundamental assumptions used to develop the security control baselines;
 
   • Significant expansion of supplemental guidance for security controls and enhancements;
 
   • Streamlined tailoring guidance to facilitate customization of baseline security controls;
 
   • New privacy controls and implementation guidance based on the internationally recognized Fair Information Practice Principles;
 
   • Updated security control baselines;
 
   • New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;
 
   • New mapping tables for ISO/IEC 15408 (Common Criteria);
 
   • The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation, and information technologies; and
 
   • Designation of assurance-related controls for low-impact, moderate-impact, and high-impact information systems and additional controls for responding to high assurance requirements.
 
As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, information security programs—capable of addressing sophisticated threats.
 
To support the final public review process, NIST will publish a markup version of Appendices D, F, and G (i.e., baseline allocations and the catalog of security controls for information systems and organizations) on or about February 8th to show the changes from the initial public draft. This will help organizations plan for any future update actions they may wish to undertake after Revision 4 is finalized. There will not be any markups provided for the main chapters or other appendices. A markup showing changes from Revision 3 to Revision 4 for the aforementioned appendices will be provided upon final publication of Special Publication 800-53, anticipated for April 2013.
 
Public comment period: February 5th through March 1st, 2013.
 
Comments can be sent to: sec-cert@nist.gov .

sp800_53_r4_draft_fpd.pdf (3.3 MB)
sp800_53_r4_appendix_d_markup_draft2.pdf (1.2 MB)
sp800_53_r4_appendix_f_markup_draft2.pdf (3.3 MB)
sp800_53_r4_appendix_g_markup_draft2.pdf (120 KB)

Feb. 1, 2013

SP 800-63 -2

DRAFT Electronic Authentication Guideline

NIST announces the release of Draft Special Publication 800-63-2, Electronic Authentication Guideline for public review and comment. This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication will supersede NIST Special Publication 800-63-1.
 
This draft is a limited update of Special Publication 800-63-1 and substantive changes are made only in section 5. Registration and Issuance Processes. The substantive changes in the revised draft are intended to facilitate the use of professional credentials in the identity proofing process, and to reduce the need to use postal mail to an address of record to issue credentials for level 3 remote registration. Other changes to section 5 are minor explanations and clarifications. New or revised text is highlighted in the review draft. Other sections of NIST Special Publication 800-63-1 have not been changed in this draft.
 
Please submit comments on the revision to eauth-comments@nist.gov with the subject line: “Draft SP 800-63-2 Comments”. The comment period closes on March 4, 2013.

sp800_63_2_draft.pdf (1.1 MB)
sp800_63_2_draft_comment_form.doc (87 KB)

Dec. 21, 2012

NIST IR-7904

DRAFT Trusted Geolocation in the Cloud: Proof of Concept Implementation

NIST announces the public comment release of Draft Interagency Report (IR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation.
 
NIST requests comments on Draft IR 7904 by Thursday, January 31, 2013. Please send comments to ir7904-comments@nist.gov, with the subject "IR 7904 Comments"

draft_nistir_7904.pdf (1.9 MB)

Dec. 6, 2012

NIST IR-7298 Rev. 2

DRAFT Glossary of Key Information Security Terms

NIST Interagency Report (IR) 7298 Revision 2, NIST Glossary of Key Information Security Terms is the latest revision of the NIST Information Security Glossary and Information Assurance Glossary.
 
This update to NIST Interagency Report (IR) 7298 Revision 1 is open for public comment and deadline to submit comments is January 15, 2013. If you have questions regarding this document, please send email to: Secglossary@nist.gov .

nistir7298_r2_draft.pdf (1.2 MB)

Oct. 31, 2012

SP 800-164

DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices

NIST announces the public comment release of the draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices . The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust.
 
The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.
 
NIST requests comments on draft NIST SP 800-164 by December 14th, 2012. Please submit all comments to 800-164comments@nist.gov.

sp800_164_draft.pdf (340 KB)

Sept. 6, 2012

SP 800-88 Rev. 1

DRAFT Guidelines for Media Sanitization

NIST announces the release of Draft Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for public review and comment. SP 800-88 discussed methods, techniques and best practices for the sanitization of target data on different media types and risk based approaches organizations can apply to establish and maintain a media sanitization program.
 
Please submit public comments to 800-88r1Comments@nist.gov. The comment period closes on November 30, 2012.

sp800_88_r1_draft.pdf (428 KB)

Sept. 5, 2012

SP 800-90 C

DRAFT Recommendation for Random Bit Generator (RBG) Constructions

NIST requests comments on two Draft publications for random bit generation: Draft SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation and Draft SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions.
 
SP 800-90B specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and thetests for the validation of entropy sources. A list of questions relating to SP 800-90B is also provided for reviewers.
 
SP 800-90C specifies constructions for the implementation of random bit generators (RBGs). An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bitgenerator (NRBG). The constructed RBGs consist of DRBG mechanisms as specified SP 800-90A and entropy sources as specified in SP 800-90B. SP 800-90A is available at http://csrc.nist.gov/publications/PubsSPs.html#800-90A.
 
Please send comments to rbg_comments@nist.gov by December 5, 2012. For the comments on SP 800-90B, please put “Comments on Entropy Sources” in the subject line. For the comments on SP 800-90C, please put “Comments on RBG Constructions” in the subject line.

draft-sp800-90c.pdf (1.67 MB)

Sept. 5, 2012

SP 800-90 B

DRAFT Recommendation for the Entropy Sources Used for Random Bit Generation

NIST requests comments on two Draft publications for random bit generation: Draft SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation and Draft SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions.
 
SP 800-90B specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and thetests for the validation of entropy sources. A list of questions relating to SP 800-90B is also provided for reviewers.
 
SP 800-90C specifies constructions for the implementation of random bit generators (RBGs). An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bitgenerator (NRBG). The constructed RBGs consist of DRBG mechanisms as specified SP 800-90A and entropy sources as specified in SP 800-90B. SP 800-90A is available at http://csrc.nist.gov/publications/PubsSPs.html#800-90A.
 
Please send comments to rbg_comments@nist.gov by December 5, 2012. For the comments on SP 800-90B, please put “Comments on Entropy Sources” in the subject line. For the comments on SP 800-90C, please put “Comments on RBG Constructions” in the subject line.

draft-sp800-90b.pdf (1.7 MB)
questions-about_draft-sp800-90b.pdf (61 KB)

Sept. 5, 2012

SP 800-40 Rev. 3

DRAFT Guide to Enterprise Patch Management Technologies

NIST announces the public comment release of draft NIST Special Publication (SP) 800-40 Revision 3, Guide to Enterprise Patch Management Technologies. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies and it also briefly discusses metrics for measuring the technologies’ effectiveness. Draft NIST SP 800-40 Revision 3 replaces the previous release (version 2), which was published in 2005.
 
NIST requests comments on draft SP 800-40 Revision 3 by Friday, October 19. Please send comments to 800-40comments@nist.gov, with the subject "SP 800-40 Comments".

draft-sp800-40rev3.pdf (468 KB)

Aug 20, 2012

SP 800-56 A Rev

DRAFT Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision)

NIST announces the release of draft revision of Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. SP 800-56A specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes. The revision is made on the March 2007 version. The main changes are listed in Appendix D.
 
Please submit comments to 56A2012rev-comments@nist.gov with "Comments on SP 800-56A (Revision)" in the subject line. The comment period closes on October 31, 2012.

draft-sp-800-56a.pdf

August 8, 2012

SP 800-152

DRAFT A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)

NIST is developing a Special Publication (SP 800-152) that will be entitled A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS). This Profile will be based on the Special Publication 800-130, entitled “A Framework for Designing Cryptographic Key Management Systems.” The Framework covers topics that should be considered by a product or system designer when designing a CKMS and specifies requirements for the design and its documentation. The Profile, however, will cover not only a CKMS design, but also its procurement, installation, management, and operation throughout its lifetime.
 
An initial draft of the Profile requirements is now available for public comment and for discussion by participants of the CKM Workshop scheduled for September 10-11.
 
Please provide comments by October 10, 2012 to ckmsdesignframework@nist.gov, with "Comments on SP 800-152 Profile Requirements" in the subject line.

draft-sp-800-152.pdf (365 KB)

July 30, 2012

SP 800-147 B

DRAFT BIOS Protection Guidelines for Servers

NIST announces the public comment release of the draft NIST SP 800-147B, BIOS Protection Guidelines for Servers. This guide is intended to mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic Input/Output System (BIOS), in server-class systems. This guide identifies security requirements and guidelines for a secure BIOS update process, using digital signatures to authenticate updates. The intended audience for this document includes BIOS and platform vendors of server-class systems, and information system security professionals who are responsible for procuring, deploying, and managing servers.
 
This document is the second in a series of publications on BIOS protections. The first document, SP800-147, BIOS Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in enterprise environments. In the future, NIST intends to develop a new publication providing an overview of BIOS protections for IT security professionals to be released as SP800-147rev1, and will reissue the current SP800-147 as SP800-147A at that time.
 
NIST requests comments on draft NIST SP 800-147B by September 14th, 2012. Please submit all comments to 800-147comments@nist.gov.

draft-sp800-147b_july2012.pdf (244 KB)

July 25, 2012

SP 800-94 Rev. 1

DRAFT Guide to Intrusion Detection and Prevention Systems (IDPS)

NIST announces the public comment release of Draft Special Publication 800-94 (SP) Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007. NIST request comments on draft SP 800-94 Revision 1 by Friday, August 31, 2012. Please send comments to 800-94comments@nist.gov, with the subject "SP 800-94 Comments"

draft_sp800-94-rev1.pdf (1.7 MB)

July 25, 2012

SP 800-83 Rev. 1

DRAFT Guide to Malware Incident Prevention and Handling for Desktops and Laptops

NIST announces the public comment release of Draft Special Publication 800-83 (SP) Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Draft SP 800-83 Revision 1 updates the original SP 800-83, which was released in 2005. NIST request comments on draft SP 800-83 Revision 1 by Friday, August 31, 2012. Please send comments to 800-83comments@nist.gov, with the subject "SP 800-83 Comments"

draft_sp800-83-rev1.pdf (790 KB)

Jul 10, 2012

SP 800-124 Rev 1

DRAFT Guidelines for Managing and Securing Mobile Devices in the Enterprise

NIST announces the public comment release of Draft Special Publication (SP) 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise. The purpose of this publication is to help organizations centrally manage and secure mobile devices against a variety of threats. This publication provides recommendations for selecting, implementing, and using centralized management technologies, and it explains the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices.
 
NIST requests comments on Draft SP 800-124, Revision 1 by Friday, August 17. Please send comments to 800-124comments@nist.gov, with the subject "SP 800-124 Comments".

draft_sp800-124-rev1.pdf (600 KB)

Jul 10, 2012

NIST IR-7823

DRAFT Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The voluntary conformance test requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA) Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s conformance with the NEMA standard.
 
NIST requests public comments on draft NISTIR 7823 by COB August 9, 2012. Electronic comments should be sent to: Michaela Iorga (NIST Computer Security Division) at michaela.iorga@nist.gov, with a Subject line: NISTIR 7823 Comments.

draft_nistir-7823.pdf (4 MB)
draft-nistir-7823_comment-form.docx (22K)

Jul. 9, 2012

SP 800-76 -2

DRAFT Biometric Data Specification for Personal Identity Verification

NIST is releasing a revised draft of Special Publication 800-76-2 Biometric Specifications for Personal Identity Verification, supporting the Revised Draft FIPS 201-2. Comments are also invited by August 10, 2012 with the dedicated template listed below.
 
Simultaneously, NIST has also released a Revised Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors.

draft-sp-800-76-2_revised.pdf (1.6 MB)
comments-template-for_draft-sp800-76-2.docx (38 KB)

Jul 9, 2012

FIPS-201 -2

DRAFT Personal Identity Verification (PIV) of Federal Employees and Contractors (REVISED DRAFT)

NIST is Pleased to Announce the Revised Draft FIPS 201-2 and Associated Public Workshop July 9, 2012
 
The NIST Computer Security Division is pleased to release the Revised Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. The Revised Draft FIPS 201-2 reflects the disposition of comments received from the first public comment Draft FIPS 201-2 (the 2011 Draft) published on March 8, 2011. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the Revised Draft. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD, to present the Revised Draft FIPS 201-2.
 
Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on the Revised Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930. Electronic comments may be sent to: piv_comments@nist.gov. Please state "Revised Draft FIPS 201-2 Comments" in the subject line of the email. Comments must be received by August 10, 2012 using the comment template listed below.
 
The Revised Draft and its track change version (indicating modification from the 2011 Draft to the Revised Draft FIPS 201-2) are also provided via a link below. FIPS 201-1 (Standard in effect) is available electronically from the NIST web site at http://csrc.nist.gov/publications/PubsFIPS.html.
 
A summary and analysis of the comments received during the public comment period of the 2011 Draft and NIST's disposition of these comments, as reflected in the Revised Draft FIPS 201-2, are provided in the Federal Register Notice (FRN). The complete set of comments and dispositions are provided in a link provided below.
 
Simultaneously, NIST is releasing a revised draft of Special Publication 800-76-2 Biometric Specifications for Personal Identity Verification, supporting the Revised Draft FIPS 201-2.
 
The public workshop on the Revised Draft FIPS 201-2 will be held on Wednesday, July 25, 2012, at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on the Revised Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Revised Draft. The agenda and related information for the public workshop, including information about the webcast, will be available at the workshop website (link above). Anyone wishing to attend the workshop in person must pre-register at http://www.nist.gov/itl/csd/ct/fips201-2_workshop_2012.cfm by 5:00pm Eastern Time on Monday, July 18th, 2012, in order to enter the NIST facility and attend the workshop.

draft_nist-fips-201-2_revised.pdf (9 MB)
comment-template_draft-nist-fips201-2_revised.xls (24 KB)
draft-nist-fips-201-2-revised_track-changes.pdf (12 MB)
draft-fips-201-2_comments_disposition-for-2011-draft.pdf (5 MB)

May 7, 2012

NIST IR-7848

DRAFT Specification for the Asset Summary Reporting Format 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
 
NIST requests public comments on draft NISTIR 7848 by June 6, 2012. Comments should be sent to asr-comments@nist.gov.

draft_nistir_7848.pdf (815 KB)

Apr. 13, 2012

SP 800-130

DRAFT A Framework for Designing Cryptographic Key Management Systems

NIST requests comments on SP 800-130, A Framework for Designing Cryptographic Key Management Systems. This is a revision of the document that was provided for public comment in June 2010. Comments are requested by July 30, 2012 and should be sent to ckmsdesignframework@nist.gov, with "Comments on SP 800-130" in the subject line. Another document, SP 800-152, which provides a basic profile of this framework document for the Federal government, will be available for initial comment later this year.

second-draft_sp-800-130_april-2012.pdf (1.2 MB)

April 10, 2012

FIPS-186 -3 Proposed Change

DRAFT Proposed Change Notice for Digital Signature Standard (DSS)

NIST requests comments on proposed changes to Federal Information Processing Standard 186-3, the Digital Signature Standard. The Federal Register Notice requests that electronic comments be sent by May 25, 2012 to: fips_186-3_change_notice@nist.gov, with 186-3 Change Notice in the subject line. The first link below is the Proposed Change Notice that are proposed for FIPS 186-3. The second link below is the current approved FIPS 186-3.
 
The Federal Register Notice for this proposed change notice for FIPS 186-3 can be accessed by clicking the link "Federal Register Notice".

change-notice_fips-186-3.pdf (152 KB)
fips_186-3.pdf

Jan. 20, 2012

NIST IR-7800

DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.
 
NIST requests comments on draft NISTIR 7800 by February 17th, 2012. Please send all comments to fe-comments@nist.gov.

Draft-NISTIR-7800.pdf (515 KB)

Jan. 6, 2012

SP 800-117 Rev. 1

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2

NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.
 
NIST requests comments on draft SP 800-117 Revision 1 by February 17th, 2012. Please send all comments to 800-117comments@nist.gov.

Draft-SP800-117-r1.pdf (153 KB)

Jan. 6, 2012

NIST IR-7799

DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.
 
NIST requests comments on draft NISTIR 7799 by February 17th, 2012. Please send all comments to fe-comments@nist.gov.

Draft-NISTIR-7799.pdf (1.2 MB)

Jan. 6, 2012

NIST IR-7756

DRAFT CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture

NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.
 
NIST requests comments on draft NISTIR 7756 by February 17th, 2012. Please send all comments to fe-comments@nist.gov.

Draft-NISTIR-7756_second-public-draft.pdf (942 KB)

Dec. 8, 2011

SP 800-155

DRAFT BIOS Integrity Measurement Guidelines

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
 
NIST requests comments on draft SP 800-155 by January 20, 2012. Please submit comments to 800-155comments@nist.gov, with "Comments SP 800-155" in the subject line.

draft-SP800-155_Dec2011.pdf (816 KB)

Dec. 6, 2011

NIST IR-7831

DRAFT Common Remediation Enumeration (CRE) Version 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7831, Common Remediation Enumeration Version 1.0. NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries.
 
NIST requests public comments on draft NISTIR 7831 by January 20, 2012. Comments should be sent to remediation-comments@nist.gov

Draft-NISTIR-7831.pdf (978 KB)

Feb. 10, 2011

NIST IR-7670

DRAFT Proposed Open Specifications for an Enterprise Remediation Automation Framework

NIST announces the public comment release of the draft NIST Interagency Report (NISTIR) 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements.
 
NIST requests comments on draft NISTIR 7670 by March 11th, 2011. Please submit all comments to remediation-comments@nist.gov.

Draft-NISTIR-7670_Feb2011.pdf (333 KB)

Mar. 10, 2010

NIST IR-7669

DRAFT Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements

Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
 
If you have questions or want to send comments regarding this document, please send email to: IR7669comments@nist.gov. There is a 30-day period for comments and the deadline to submit comments is Friday, April 9, 2010.

draft-nistir-7669.pdf (277 KB)

Dec. 11, 2009

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules (Revised Draft)

The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
 
All comments to the Revised Draft FIPS 140-3 must be received on or before March 11, 2010. Please use the template provided. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Michaela Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov, with "Comments on the Revised Draft FIPS 140-3" in the subject line.
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these comments is also available on CSRC.

revised-draft-fips140-3_PDF-zip_document-annexA-to-annexG.zip (706 KB)
revised-fips140-3_comments-template.dot (38 KB)

Sept. 11, 2009

SP 800-85 B-1

DRAFT PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 25, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.

draft-sp800-85B-1.pdf (1.3 MB)
sp800-85B_Change_Summary.pdf (14 KB)
Comment-Template_sp800-85B-1.xls (18 KB)

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.

draft-sp800-65rev1.pdf (679 KB)

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

draft-sp800-118.pdf (181 KB)

Mar. 20, 2009

SP 800-16 Rev. 1

DRAFT Information Security Training Requirements: A Role- and Performance-Based Model

The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.

Draft-SP800-16-Rev1.pdf (1,197 KB)

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

NISTIR_7328-ipdraft.pdf (327 KB)

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.

sp800-103-draft.pdf (699 kB)
Back to Top