|
CSRC
Homepage
CSRC Site Map
Search
CSRC:
CSD
Publications:
- Special
Publications
- FIPS Pubs
- ITL Security
Bulletins
- NIST IRs
CSD
Focus Areas:
- Cryptographic Standards
& Application
- Security Testing
- Security Research
/
Emerging
Technologies
- Security Management
&
Guidance
- Outreach Awareness
&
Education
- FISMA Implementation
Project
General
Information:
- Site
Map
- List of Acronyms
- Archived
Projects
&
Conferences
- Virus Information
- ICAT Alerts
Search
NIST's ICAT
Vulnerability Archive:
|
|
Archives:
1998 | 1999 | 2000
| 2001 | 2002 |
2003 | 2004
2004 News and Announcements
October:
September:
- September 29, 2004 -- NIST
is pleased to announce the first public draft
of Special Publication 800-52, Guidelines on the Selection and Use of
Transport Layer Security. This document is a guideline for implementing
Transport Layer Security in the Federal Government to protect sensitive
information. Care must be taken when selecting cryptographic mechanisms
for authentication, confidentiality, and message integrity, as some
choices are non-compliant with Government standards, or may pose security
risks. The comment period for this document will be 30 days, ending
on November 1st, 2004. Please direct all comments and questions to Matthew
J. Fanto at matthew.fanto@nist.gov.
- September 28, 2004 -- NIST
has completed the second public draft of Special
Publication 800-53, Recommended Security Controls for Federal Information
Systems. This draft guideline provides a recommended set of security
controls for low, moderate, and high impact information systems based
upon the system's FIPS 199 security categorization. Final publication
is anticipated o/a January 31, 2005. Special Publication 800-53, when
finalized, will serve as NIST interim guidance on security controls
for federal information systems until December 2005, which is the statutory
deadline to publish minimum standards for all non-national security
systems. Comments may be sent to sec-cert@nist.gov
until November 30, 2004.
- September 16, 2004 -- On
November 9 and 10 2004, the Federal Trade Commission and National Institute
of Standards and Technology will co-sponsor a Summit
of Email Authentication at the Federal Trade Commission Satellite
Building in Washington DC. The purpose of the Summit is facilitate discussions
and encourage the development, testing, evaluation and implementation
of domain-level authentication systems as a way to better filter spam.
The summit is open to the public.
- September 10, 2004 -- NIST
is proud to announce the release of NIST
Interagency Report 7100 Personal Digital Assistants (PDA) Forensic Tools:An
Overview and Analysis. Digital handheld devices, such as Personal
Digital Assistants (PDAs), are becoming more affordable and commonplace
in the workplace. When handheld devices are involved in a crime or other
incident, forensic examiners require tools that allow the proper retrieval
and speedy examination of information present on the device. This report
gives an overview of current forensic software, designed for acquisition,
analysis, reporting of data discovered on PDAs, and an understanding
of their capabilities and limitations.
August:
- August 25, 2004 -- Researchers
have recently announced they have discovered a new way to break a number
of cryptographic hash algorithms. Click here
to read NIST's brief comments on recent cryptanalytic attacks on secure
hashing functions and the continued security provided by SHA-1. SHA-1
is one of the hash functions specified in the Secure
Hash Standard, Federal Information Processing Standard 180-2.
- August 25, 2004 -- NIST
invites and requests nominations of individuals for appointment to the
Information Security and Privacy Advisory Board (ISPAB).
The call for nominations can be found here.
The Board advises the Director of NIST, the Secretary of Commerce and
the Director of OMB on information security matters.
- August 19, 2004 -- On October
6 and 7, 2004: NIST, with co-sponsorship from Department of Homeland
Security (DHS) and the National Cyber Security Partnership's Coordinating
Committee, will hold a Common
Criteria Users' Forum (CCUF) at Crowne Plaza Hotel located at 14th
and K Street, NW, Washington, DC. The CCUF complements and supplements
two studies that address issues related to the use of the Common Criteria
and to the U.S. NIAP process that implements Common Criteria. These
studies are: 1) the ongoing NIAP Review (sponsored by DoD & DHS)
and 2) the completed National
Cyber Security Partnership Technical Standards Task Force Report on
Common Criteria. Common Criteria related stakeholders, including
customers, vendors, Common Criteria evaluators and NIAP representatives,
are invited to attend the Common Criteria Users' Forum.
- August 12, 2004 -- NIST,
with sponsorship from the Department of Homeland Security (DHS), has
produced Draft NIST Special
Publication 800-70: Security Configuration Checklists Program for IT
Products to facilitate the development and dissemination of
security configuration checklists ("benchmark settings.") The Cyber
Security Research and Development Act of 2002 tasks NIST to "develop,
and revise as necessary, a checklist setting forth settings and option
selections that minimize the security risks associated with each computer
hardware or software system that is, or is likely to become widely used
within the Federal Government." Such checklists, when combined with
well-developed guidance, leveraged with high-quality security expertise,
vendor product knowledge, operational experience, and accompanied with
tools, can markedly reduce the vulnerability exposure of an organization.
This publication is intended for users and developers of IT product
security configuration checklists. This publication is intended for
users and developers of IT product security configuration checklists.
For checklist users, this document gives an overview of the NIST Checklist
Program, explains how to retrieve checklists from NIST's repository,
and provides general information about threat models and baseline technical
security policies for associated operational environments. For checklist
developers, the publication sets forth the policies, procedures, and
general requirements for participation in the NIST Checklist Program.
In the winter, we expect to launch a web site for checklist distribution.
Comments may be sent to checklists@nist.gov
by September 30, 2004. Comment period is NOW closed.
- August 6, 2004 -- NIST has
prepared the draft Special
Publication 800-72, entitled Guidelines on PDA Forensics, and is
requesting public comment on its contents. The document was developed
to help organizations evolve appropriate policies and procedures for
dealing with PDA forensics and to provide forensic specialists with
a background on the technology, tools, and principles involved. The
intended audience ranges from response team members handling a computer
security incident to organizational security officials investigating
an employee-related situation to forensic examiners involved in criminal
investigations. NIST requests comments by September 3, 2004. Comment
period is NOW closed. Questions can be emailed to PDAforensics@NIST.Gov.
July:
- July 27, 2004 -- NIST has
determined that the strength of the (single) Data Encryption Standard
(DES) algorithm is no longer sufficient to adequately protect Federal
government information. As a result, NIST proposes
to withdraw FIPS 46-3, which specifies the DES, and two related standards.
Future use of DES by Federal agencies is to be permitted only as a component
function of the Triple Data Encryption Algorithm (TDEA; see NIST
Special Publication 800-67). TDEA may be used for the protection
of Federal information; however, NIST encourages agencies to implement
the faster and stronger algorithm specified by FIPS 197, Advanced Encryption
Standard (AES) instead. Comments must be must be received on or before
September 9, 2004. Comment period is NOW closed.
For questions please forward them to: descomments@nist.gov
June:
- June 16, 2004 -- The U.S.
General Accounting Office has recently published "Technology Assessment
-- Cybersecurity for Critical Infrastructure Protection." Click
here to read the report. (.pdf file)
- June 10, 2004 -- The National
Institute of Standards and Technology today published NIST Special
Publication 800-60, Guide for Mapping Types of Information and Information
Systems to Security Categories. NIST Special Publication 800-60
is one of several key documents being developed by NIST to support the
implementation of the Federal Information Security Management Act (FISMA)
of 2002. The purpose of the guideline is to assist Federal government
agencies in identifying information types and information systems and
assigning impact levels for confidentiality, integrity, and availability.
Impact levels are based on the security categorization definitions in
FIPS 199. Special Publication 800-60 is posted in two volumes. Volume
I [pdf] provides guidelines for identifying impact levels by type
and suggests management and support information types common to multiple
agencies. Volume
II [pdf] includes examples of mission-based information types and
suggests provisional impact levels for both management and support and
mission-based information types. Rationale for impact level recommendations,
exceptions to recommended levels, and legislative and regulatory requirements
for protection of specific information types are also provided in Volume
II. NIST Special Publication 800-60 is available on the CSRC
Special Publications page. A complete description of the NIST FISMA
Implementation Project is also available.
May:
- May 12, 2004 -- The National
Institute of Standards and Technology today published guidelines on
the security certification and accreditation of federal information
systems. NIST Special Publication 800-37, "Guide for the Security Certification
and Accreditation of Federal Information Systems", is one of several
key documents being developed by NIST to support the implementation
of the Federal Information Security Management Act (FISMA) of 2002.
The new guidelines provide a standardized approach for assessing the
effectiveness of the management, operational, and technical security
controls in an information system and for determining the business or
mission risk to an agency's operations and assets brought about by the
operation of that system. NIST Special Publication 800-37 is available
on the CSRC Special Publications
page. A complete description of the NIST FISMA Implementation Project
is also available at: . http://csrc.nist.gov/sec-cert
- May 12, 2004 -- The newly
released NIST Special Publication 800-67 Recommendation for the Triple
Data Encryption Algorithm (TDEA) Block Cipher, is now available.
NIST SP 800-67 specifies the Triple Data Encryption Algorithm (TDEA),
including its primary component cryptographic engine, the Data Encryption
Algorithm (DEA). This recommendation precisely defines the mathematical
steps required to cryptographically protect data using TDEA and to subsequently
process such protected data. When implemented in an SP 800-38 series-compliant
mode of operation and in a FIPS 140-2 compliant cryptographic module,
TDEA may be used by Federal organizations to protect sensitive unclassified
data. A copy of NIST SP 800-67 can be found on the NIST
Special Publications web page.
- May 12, 2004 -- NIST Computer
Security Division has recently completed a draft of NIST Special Publication
800-66, An Introductory Resource Guide for Implementation of the
Health Insurance Portability and Accountability Act (HIPAA) Security
Rule, for public comment. The guidance is intended to assist in
identifying available NIST guidance which can provide useful reference
material in addressing the HIPAA security standards. In addition, for
federal agencies subject to both the Federal Information Security Management
Act (FISMA) and HIPAA, it provides a cross-mapping between the two sets
of requirements to assist agencies in not doing double work since the
two sets of requirements overlap. The draft is available on the CSRC
Drafts Publications page. NIST is requesting comments by July 15,
2004. Comments should be addressed to sec-hipaa@nist.gov
- May 6, 2004 -- NIST is pleased
to announce a Briefing Day for Special Publication 800-37, "Guide for
the Security Certification and Accreditation of Federal Information
Systems" on Thursday, June 3, 2004, from 9:00 A.M. until 12:30 P.M.
in the Green Auditorium, NIST Main Campus, Gaithersburg, Maryland. The
purpose of the Briefing day is to provide federal agencies with the
latest information on the implementation of NIST Special Publication
800-37. The target audience for the briefing day is Chief Information
Officers (CIO), Senior Agency Information Security Officers (SAISO),
and Inspectors General (IG). In addition to detailed presentations on
the NIST FISMA project and Special Publication 800-37, representatives
from OMB will be in attendance to provide the latest policy guidance
on the implementation of the special publication. Attendance at the
Briefing Day is by invitation ONLY and limited to federal employees
holding CIO, SAISO, or IG positions. The number of participants is limited
to three per agency or major organizational component. Participants
must be pre-registered. Electronic registration may be done at: http://www.nist.gov/conferences,
click on View Upcoming NIST Conferences, and then scroll down to the
June 3, 2004 Briefing Day. There is no registration fee for this event.
The registration contact is Angela Ellis, (301) 975-3881, angela.ellis@nist.gov,
fax 301-948-2067.
April:
- April 22, 2004 -- The newly
released NIST InterAgency Report 7056, Card Technology Developments
and Gap Analysis Interagency Report, is now available. NIST IR 7056
is based on the proceedings of the July 8 and 9, 2003 Storage and Processor
Card-based Technologies Workshop. The report summarizes Federal government
storage and processor card requirements expressed at the workshop, current
capabilities offered by the vendor community, and technical and policy
implementation issues raised at the workshop. A copy of NISTIR 7056
can be found on the NIST Interagency
Report Publications web page.
March:
- March 29, 2004 -- NIST has
completed the second draft of NIST
Special Publication 800-60, Guide for Mapping Types of Information and
Information Systems to Security Categories. The second draft
incorporates suggestions made by participants in the 26 and 27 February
inter-agency workshop on SP 800-60. The purpose of the draft guideline
is to assist Federal government agencies in identifying information
types and information systems and assigning impact levels for confidentiality,
integrity, and availability. Impact levels are based on the security
categorization definitions in FIPS
199. The draft Special Publication 800-60 is posted in two volumes.
Volume I [pdf]
provides guidelines for identifying impact levels by type and suggests
management and support information types common to multiple agencies.
Volume II [pdf]
includes examples of mission-based information types and suggests provisional
impact levels for both management and support and mission-based information
types. Rationale for information type and impact level recommendations
is also provided in Volume II. NIST requests comments on the draft by
May 1, 2004. Comments should be addressed to:
800-60_comments@nist.gov.
Comment period is NOW CLOSED.
- March 16, 2004
-- Deputy Under Secretary of Commerce for Technology Ben Wu testified
today before Congress on NIST's activities to implement its assignments
to develop standards and guidelines in the Federal Information Security
Management Act of 2002.
February:
- February 28, 2004 -- A new
version of FIPS 180-2,
Secure Hash Standard (SHS), is available. This version contains
a change notice that specifies SHA-224 and discusses truncation of the
hash function output in order to provide interoperability.
- February 10, 2004 -- The
Secretary of Commerce has approved FIPS Publication 199, Standards
for Security Categorization of Federal Information and Information Systems.
The FIPS Publication 199 addresses one of the requirements specified
in the Federal Information Security Management Act (FISMA) of 2002 by
providing security categorization standards for information and information
systems. Security categorization standards provide a common framework
and method for expressing security. They promote the effective management
and oversight of information security programs, including the coordination
of information security efforts throughout the civilian, national security,
emergency preparedness, homeland security, and law enforcement communities.
Such standards also enable consistent reporting to OMB and Congress
on the adequacy and effectiveness of information security policies,
procedures, and practices. A copy of the standard can be obtained at:
http://csrc.nist.gov/publications/fips/.
January:
- January 29, 2004 -- The
Department of Commerce has formed an IPv6 Task Force to study deployment
issues. The Task Force has published an RFC (Request for Comments) in
the January 21, 2004 Federal Register, inviting interested parties to
comment on a variety of IPv6-related issues. The RCF is available here;
the press announcement is available here.
The deadline for comments is March 8, 2004.
- January 29, 2004 -- NIST
has completed the draft
NIST Special Publication 800-63, Recommendation for Electronic Authentication.
E-authentication is the remote authentication of individual people over
a network for the purpose of electronic government and commerce. This
recommendation provides technical guidance in the implementation of
electronic authentication to allow an individual person to remotely
authenticate his or her identity to a Federal IT system. It supplements
OMB guidance, E-Authentication Guidance for Federal Agencies
that defines four levels of authentication in terms of the likely consequences
of an authentication error. Special Publication 800-63 states specific
technical requirements for each of the four levels of assurance in the
following areas: identity proofing and registration, tokens, remote
authentication mechanisms and assertion mechanisms. NIST requests
comments on the draft document by March 15, 2004. Please address
your comments to: eauth-comment@nist.gov.
- January 22,2004 -- NIST-ITL’s
Computer Security Division is holding five workshops on important cybersecurity
related topics over the course of the next few months:
- "Knowledge
Based Authentication: Is it Quantifiable" on February 9-10,
2004 (in conjunction with GSA)
- "Spam
Technology" February 17, 2004 (in conjunction with NIST-ITL’s
Advanced Network Technologies
Division)
- Workshop (government
only) on the Draft of NIST
Special Publication 800-60, Guide for Mapping Types of Information
and Information Systems to Security Categories, February 26,
2004; repeated on February 27, 2004; Please e-mail elaine.frye@nist.gov
for Workshop details and registration information.
- Workshop
on the Draft of NIST Special Publication 800-53, Recommended Security
Controls for Federal Information Systems, March 8, 2004; The
draft of 800-53 is available here.
Here is the NIST Conference and Facilities electronic
registration page
- Third
Annual Public Key Infrastructure R&D Workshop, April 12-14,
2004 (in conjunction with NIH and Internet 2)
- January 16, 2004 -- NIST
is pleased to announce the completion of NIST Special Publication (SP)
800-61, Computer Security Incident Handling Guide. The Federal
Information Security Management Act of 2002 directed NIST to produce
this publication. This publication seeks to help both established and
newly formed incident response teams respond effectively and efficiently
to a variety of incidents. More specifically, this publication discusses
the following items: 1) organizing a computer security incident response
capability, 2) establishing incident response policies and procedures,
3) structuring an incident response team, and 4) handling incidents
from initial preparation through the post-incident lessons learned phase.
Additionally, it discusses these steps (prevention, preparation, containment,
eradication, and recovery) for handling a range of incidents, such as
denial of service, malicious code, unauthorized access, inappropriate
usage, and multiple component incidents and potential scenarios to examine
in preparation for major incidents. SP 800-61 supercedes SP 800-3, Establishing
a Computer Security Incident Response Capability (CSIRC). To view or
to download this publication please visit our Special
Publications page.
Last updated:
October 4, 2004
Page created: January 2, 2004
|