|
CSRC
Homepage
CSRC Site Map
Search
CSRC:
CSD
Publications:
- Special
Publications
- FIPS Pubs
- ITL Security
Bulletins
- NIST IRs
CSD
Focus Areas:
- Cryptographic Standards
& Application
- Security Testing
- Security Research
/
Emerging
Technologies
- Security Management
&
Guidance
- Outreach Awareness
&
Education
- FISMA Implementation
Project
General
Information:
- Site
Map
- List of Acronyms
- Archived
Projects
&
Conferences
- Virus Information
- ICAT Alerts
Search
NIST's ICAT
Vulnerability Archive:
|
|
Having trouble viewing
a .pdf document on this page? Click link for details.
- September
29, 2004 -NIST Special Publication 800-52, Guidelines on
the Selection and Use of Transport Layer Security
Adobe
PDF file (325 KB)
NIST is pleased to announce the first public draft of Special Publication
800-52, Guidelines on the Selection and Use of Transport Layer Security.
This document is a guideline for implementing Transport Layer Security
in the Federal Government to protect sensitive information. Care must
be taken when selecting cryptographic mechanisms for authentication,
confidentiality, and message integrity, as some choices are non-compliant
with Government standards, or may pose security risks. The comment period
for this document will be 30 days, ending on November 1st, 2004.
Please direct all comments and questions to Matthew J. Fanto at matthew.fanto@nist.gov.
- September
28, 2004 - NIST Special Publication 800-53 (Second Public Draft),
Recommended Security Controls for Federal Information Systems
Adobe
PDF file (1.56 MB)
Zipped
PDF file (1.20 MB)
NIST has completed the second draft of Special Publication 800-53, Recommended
Security Controls for Federal Information Systems. This draft guideline
provides a recommended set of security controls for low, moderate, and
high impact information systems based upon the system's FIPS 199 security
categorization. Final publication is anticipated o/a January 31, 2005.
Special Publication 800-53, when finalized, will serve as NIST interim
guidance on security controls for federal information systems until
December 2005, which is the statutory deadline to publish minimum standards
for all non-national security systems.
Comments may be sent to sec-cert@nist.gov
until November 30, 2004.
- August
12, 2004
- DRAFT NIST Special Publication 800-70, The NIST Security Configuration
Checklists Program
NIST, with sponsorship
from the Department of Homeland Security (DHS), has produced Draft
NIST Special Publication 800-70: Security Configuration Checklists Program
for IT Products to facilitate the development and dissemination of
security configuration checklists ("benchmark settings.") The
Cyber Security Research and Development Act of 2002 tasks NIST to "develop,
and revise as necessary, a checklist setting forth settings and option
selections that minimize the security risks associated with each computer
hardware or software system that is, or is likely to become widely used
within the Federal Government." Such checklists, when combined with
well-developed guidance, leveraged with high-quality security expertise,
vendor product knowledge, operational experience, and accompanied with
tools, can markedly reduce the vulnerability exposure of an organization.
This publication is intended for users and developers of IT product security
configuration checklists. This publication is intended for users and developers
of IT product security configuration checklists. For checklist users,
this document gives an overview of the NIST Checklist Program, explains
how to retrieve checklists from NIST's repository, and provides general
information about threat models and baseline technical security policies
for associated operational environments. For checklist developers, the
publication sets forth the policies, procedures, and general requirements
for participation in the NIST Checklist Program. In the winter, we expect
to launch a web site for checklist distribution.
Comments may be sent to checklists@nist.gov
by September 30, 2004.
- August
8, 2004
- DRAFT NIST Special Publication 800-72, Guidelines on PDA Forensics
Adobe
.PDF file (487
KB)
NIST has prepared the
draft Special Publication 800-72, entitled Guidelines on PDA Forensics,
and is requesting public comment on its contents. The document was developed
to help organizations evolve appropriate policies and procedures for dealing
with PDA forensics and to provide forensic specialists with a background
on the technology, tools, and principles involved. The intended audience
ranges from response team members handling a computer security incident
to organizational security officials investigating an employee-related
situation to forensic examiners involved in criminal investigations. NIST
requests comments by September 3, 2004. Comments should be emailed to
PDAforensics@NIST.Gov.
- July
7, 2004
- DRAFT Special Publication 800-65, Integrating Security into the Capital
Planning and Investment Control Process.
Adobe
.PDF file (3,340
KB)
Zipped
.PDF file
(2,702 KB)
NIST is pleased to
announce the release for public comment of draft guidance Special Publication
800-65, Integrating Security into the Capital Planning and Investment
Control Process. This draft publication presents a methodology which agencies
can apply in preparing their information technology budget submissions.
It is required that security costs be included as part of the request.
The publication addresses techniques applicable at both the enterprise-wide
and system level and offers a process for prioritizing investments by
integrating both interests. Included in the discussion are a set of risk
factors which should be considered in addressing security control integration.
The document maps current security requirements to the major components
of the Capital Planning and Investment Control process (CPIC) and and
to the Select-Control-Evaluate Investment Life Cycle model promoted by
GAO
Comments on the draft are requested by August 12th to:
sec-cpic@nist.gov.The
draft guideline is available in .PDF format. Request for Comments is now
CLOSED.
- June
28, 2004
- DRAFT Special Publication 800-68, Guidance for Securing Microsoft Windows
XP Systems for IT Professionals: A NIST Security Configuration Checklist
NIST has completed
the draft NIST Special
Publication 800-68, Guidance for Securing Microsoft Windows XP Systems
for IT Professionals: A NIST Security Configuration Checklist. NIST
Special Publication 800-68 has been created to assist IT professionals,
in particularly Windows XP system administrators and information security
personnel, in effectively securing Windows XP systems. It discusses Windows
XP and various application security settings in technical detail. The
guide provides insight into the threats and security controls that are
relevant for various operational environments, such as for a large enterprise
or a home office. It describes the need to document, implement, and test
security controls, as well as to monitor and maintain systems on an ongoing
basis. It presents an overview of the security components offered by Windows
XP and provides guidance on installing, backing up, and patching Windows
XP systems. It discusses security policy configuration, provides an overview
of the settings in the accompanying NIST security templates, and discusses
how to apply additional security settings that are not included in the
NIST security templates. It demonstrates securing popular office productivity
applications, Web browsers, e-mail clients, personal firewalls, antivirus
software, and spyware detection and removal utilities on Windows XP systems
to provide protection against viruses, worms, Trojan horses, and other
types of malicious code. NIST requests comments by August 3, 2004. Comments
should be addressed to itsec@nist.gov.
Request for Comments is now CLOSED.
- May
12, 2004
- DRAFT Special Publication 800-66: An Introductory Resource Guide for
Implementing the Health Insurance Portability and Accountability Act (HIPAA)
Security Rule
Adobe
.PDF file
(1,895 KB)
We have recently
completed a draft of NIST Special Publication 800-66, An Introductory
Resource Guide for Implementation of the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule, for public comment. The
guidance is intended to assist in identifying available NIST guidance
which can provide useful reference material in addressing the HIPAA
security standards. In addition, for federal agencies subject to both
the Federal Information Security Management Act (FISMA) and HIPAA, it
provides a cross-mapping between the two sets of requirements to assist
agencies in not doing double work since the two sets of requirements
overlap. NIST is requesting comments by July 15, 2004. Comments should
be addressed to sec-hipaa@nist.gov.
Request for Comments is now CLOSED.
- May
3, 2004
- DRAFT Special Publication 800-58 : Security Considerations for Voice
Over IP Systems
Adobe
.PDF file
(1,239 KB)
This publication
explains the challenges of VOIP security for agency and commercial users
of VOIP, and outlines steps needed to help secure an organization's
VOIP network. Comments are requested by June 18, 2004 and can be submitted
to Rick Kuhn, at sp800-58@nist.gov.
Request for Comments is now CLOSED.
- December
1, 2003
-- FIPS 180-2, the Secure Hash Standard (change notice)
NIST is proposing a change
notice (pdf format) for FIPS 180-2, the Secure Hash Standard
that will specify an additional hash function, SHA-224, that is based
on SHA-256. NIST requests comments for the change notice by January 16,
2004. Comments should be addressed to ebarker@nist.gov.
Request for comments is now CLOSED.
- January
2003 -- DRAFT Special Publication 800-56,
Recommendation on Key Establishment Schemes and DRAFT Special Publication
800-57 Recommendation on Key Management
Key management guidance is currently under development: SP 800-56 (Recommendation
on Key Establishment Schemes) and SP 800-57 (Recommendation on
Key Management). Drafts of these documents are available for review
and comment at http://csrc.nist.gov/CryptoToolkit/tkkeymgmt.html.
- November
5, 2002
-- DRAFT Special Publication 800-38B, Recommendation for Block Cipher
Modes of Operation: the RMAC Authentication Mode
(updated version)
(Adobe
.PDF file 118 KB)
(zipped
.PDF file 88.9. KB)
The draft NIST Special Publication 800-38B specifying the RMAC algorithm
has been updated to provide example
vectors with the AES algorithm as the underlying block cipher.
In the draft Special
Publication, 800-38B, Recommendation for Block Cipher Modes of Operation:
the RMAC Authentication Mode, an algorithm called RMAC is specified
for use with any NIST-approved block cipher algorithm, such as the Advanced
Encryption Standard (AES) algorithm. RMAC entails the generation and
use of a message authentication code (MAC) on given data, which can
provide assurance of the authenticity of the source of data and therefore
of the integrity of the data. Further information on the development
of block cipher modes of operation is available at the modes home page
http://csrc.nist.gov/encryption/modes/.
NIST welcomes public
comments on the draft until December 15, 2002; comments may be sent
to EncryptionModes@nist.gov.
Comment period is NOW closed.
NOTE:
If you are looking for a "draft" computer security publication and can't
find it here, the draft probably
has been finalized (check the FIPS or Special Publication link once
on this page)
Trouble
viewing .pdf files from this page? Here are several tips which will hopefully
resolve the problem.
Are you using Internet Explorer? Internet Explorer requires you to enable
Active-x controls for .pdf and other plug-ins. If this feature is disabled,
then you will not be able to view .pdf files from CSRC website and most likely
from other websites as well. When Active-x controls for .pdf and other plug-ins
is enabled, it should work.
You probably want to
check with your system administrator to see if your browser and/or Adobe
Reader is configured properly. This is a FYI on how to enable the active-x
control for .pdf and other plug-ins in Microsoft IE. Netscape uses a different
technique. Go to the Tools drop down menu (top of your browser menu bar),
then left click on the Internet options, then left click the Security tab,
then look for the custom level button and click the button, find "Run
Active X controls and Plug-ins" (there will be other references to
Active-X but choose ONLY this one), and click the Enable circle. Then hit
ok to exit.
Once this feature is
enabled, you will be able to view .pdf files from our CSRC website or any
other website.
If you don't want to
view the .pdf files from CSRC with Adobe Reader within your browser, instead
of clicking the link to view the .pdf file(s), you can place your cursor
above the link (cursor will then change to a hand) and then RIGHT click
the link. You will see a little window box. Click the save file as option.
Then you will see another window to save the file and you can save the file
to your system or to where ever you would like the file to be saved. Then
once you save the file, you should be able to open up Adobe Reader without
using your browser to view the .pdf file.
If your settings are
properly set to download or view .pdf files from the Internet, several people
had told us that in order for them to view a rather large .pdf file within
Adobe Reader, they had to close most to all of their applications. Also,
some people told us that they had to clean out their temporary cache folders,
for there was not enough memory in their temporary cache.
|