Nist csd publications_20140428

NIST_CSD_Publications_20140428

Cat Status Series Pub Sort Date Title

Final SP 800-12 10/1/1995 An Introduction to Computer Security: the NIST Handbook

Topic General IT Security

Keyword Computer security; guidance; IT security; security controls

Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;

Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;

Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System &

Communication Protection; System & Information Integrity; System & Services Acquisition

Abstract This handbook provides assistance in securing computer-based resources (including hardware, software, and information)

by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits

of security controls, the major techniques or approaches for each control, and important related considerations.

The handbook provides a broad overview of computer security to help readers understand their computer security needs

and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps

necessary to implement a computer security program, provide detailed implementation procedures for security controls, or

give guidance for auditing the security of specific systems.

Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated

Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-12

Final SP 800-13 10/1/1995 Telecommunications Security Guidelines for Telecommunications Management Network

Topic Communications & Wireless

Keyword Telecommunications security; security baseline; security requirements

Family Contingency Planning; Risk Assessment

Abstract This Telecommunication Security Guideline is intended to provide a security baseline for Network Elements (NEs) and

Mediation Devices (MDs) that is based on commercial security needs. In addition, some National Security and Emergency

Preparedness (NS/EP) security requirements will be integrated into the baseline to address specific network security

needs.

The guideline should assist telecommunications vendors in developing systems and service providers in implementing

systems with appropriate security for integration into the Public Switched Network (PSN). It can also be used by a

government agency or a commercial organization to formulate a specific security policy. It does not stipulate regulatory

requirements or mandated standards of the National Institute of Standards and Technology.

Legal


Final SP 800-14 9/1/1996 Generally Accepted Principles and Practices for Securing Information Technology Systems


Keyword IT security; security baseline; security practices; security principles

of 118



Family Final SP 800-14 9/1/1996 Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;




Abstract As more organizations share information electronically, a common understanding of what is needed and expected in

securing information technology (IT) resources is required. This document provides a baseline that organizations can use

to establish and review their IT security programs. The document gives a foundation that organizations can reference

when conducting multi-organizational business as well as internal business. Management, internal auditors, users, system

developers, and security practioners can use the guideline to gain an understanding of the basic security requirements

most IT systems should contain. The foundation begins with generally accepted system security principles and continues

with common practices that are used in securing IT systems.

Legal


Final SP 800-15 1/1/1998 MISPC Minimum Interoperability Specification for PKI Components, Version 1

Topic Cryptography; Digital Signatures; PKI; Services & Acquisitions

Keyword Certificate; certificate revocation list; certification authority (CA); CRL; public key infrastructure (PKI); registration authority;

repository; X.509

Family System & Communication Protection

Abstract The Minimum Interoperability Specification for PKI Components (MISPC) supports interoperability for a large scale public key

infrastructure (PKI) that issues, revokes and manages X.509 version 3 digital signature public key certificates and version 2 certificate

revocation lists (CRLs). To the extent possible, this document adopts data formats and transaction sets defined in existing and evolving

standards, such as ITU X.509 and the IETF's Internet Public Key Infrastructure Using X.509 Certificates (PKIX) series. In this

specification a PKI is broken into five components: certification authorities (CAs) that issue and revoke certificates; organizational

registration authorities (ORAs) that vouch for the binding between public keys and certificate holder identities and other attributes;

certificate holders that are issued certificates and can sign digital documents; clients that validate digital signatures and their certification

paths from a known public key of a trusted CA; and repositories that store and make available certificates and CRLs.The MISPC

supports both hierarchical and network trust models. In hierarchical models, trust is delegated by a CA when it certifies a subordinate

CA. Trust delegation starts at a root CA that is trusted by every node in the infrastructure. IN network models, trust is established

between any two CAs. The MISPC specifies the use of X.509 v3 extensions in certificates to explicitly manage trust relationships.This

specification consists primarily of a profile of certificate and CRL extensions and a set of transactions. The transactions include:

certification requests, certificate renewal, certificate revocation, and retrieval of certificates and CRLs from repositories.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-15-Version%201

DRAFT SP 800-16 Rev. 13/14/2014 A Role-Based Model for Federal Information Technology/Cybersecurity Training

Topic Audit & Accountability; Awareness & Training

Keyword Cybersecurity; information assurance; learning continuum; role-based training; security; security awareness; security

controls; security literacy

Family Awareness & Training; Program Management

of 118



Abstract DRAFT SP 800-16 Rev. 13/14/2014 Meeting security responsibilities and providing for the confidentiality, integrity, and availability of information in today's highly networked

environment can be a difficult task. Each individual that owns, uses, relies on, or manages information and information technology (IT)

systems must fully understand their specific security responsibilities. This includes ownership of the information and the role individuals

have in protecting information. Information that requires protection includes information they own, information provided to them as part

of their work and information they may come into contact with.

This document describes information technology/cybersecurity role-based training for the Federal Departments and Agencies and

Organizations (Federal Organizations) and contractor support in these roles. Its primary focus is to provide a comprehensive, yet

flexible, training methodology for the development of training courses or modules for personnel who have been identified as having

significant information technology/cybersecurity responsibilities. This document is intended to be used by Federal information

technology/cybersecurity training personnel and their contractors to assist in designing role-based training courses or modules for

Federal Organizations personnel and contractors who have been identified as having significant responsibilities for information

technology/cybersecurity. This publication should also be read, reviewed, or understood at a fairly high level by several audiences

including the Organizational Heads through the leadership chain to the individual. Some of the titles include, but not limited to, the IT

Managers, Senior Agency Information Security Officer (SAISO), Certified Information Systems Security Officer (CISSO), Information

Systems Security Officer (ISSO), Information Assurance Manager (IAM), and Program Manager (PM).


Information Resources/Conduct Security Awareness Training

Link http://csrc.nist.gov/publications/PubsSPs.html#800-16-rev1

Final SP 800-16 4/1/1998 Information Technology Security Training Requirements: a Role- and Performance-Based Model


Keyword Awareness; behavioral objectives; education; individual accountability; job function; management and technical controls;

rules of behavior; training

Family Awareness & Training; Program Management

Abstract This document supersedes NIST SP 500-172, Computer Security Training Guidelines, published in 1989. The new

document supports the Computer Security Act (Public Law 100-235) and OMB Circular A-130 Appendix III requirements

that NIST develop and issue computer security training guidance. This publication presents a new conceptual framework

for providing information technology (IT) security training. This framework includes the IT security training requirements

appropriate for today's distributed computing environment and provides flexibility for extension to accommodate future

technologies and the related risk management decisions.




Final SP 800-17 2/1/1998 Modes of Operation Validation System (MOVS): Requirements and Procedures

Topic Authentication; Cryptography

Keyword Automated testing; computer security; cryptographic algorithms; cryptography; Data Encryption Standard (DES); Federal

Information Processing Standard (FIPS); NVLAP; Skipjack algorithm; secret key cryptography; validation.

Family Certification, Accreditation & Security Assessments; System & Communication Protection

of 118



Abstract Final SP 800-17 2/1/1998 The National Institute of Standards and Technology (NIST) Modes of Operation Validation System (MOVS) specifies the

procedures involved in validating implementations of the DES algorithm in FIPS PUB 46-2 The Data Encryption Standard

(DES) and the Skipjack algorithm in FIPS PUB 185, Escrowed Encryption Standard (ESS). The MOVS is designed to

perform automated testing on Implementations Under Test (IUTs). This publication provides brief overviews of the DES

and Skipjack algorithms and introduces the basic design and configuration of the MOVS. Included in this overview are the

specifications for the two categories of tests which make up the MOVS, i.e., the Known Answer tests and the Modes tests.

The requirements and administrative procedures to be followed by those seeking formal NIST validation of an

implementation of the DES or Skipjack algorithm are presented. The requirements described include the specific protocols

for communication between the IUT and the MOVS, the types of tests which the IUT must pass for formal NIST validation,

and general instructions for accessing and interfacing with the MOVS. An appendix with tables of values and results for

the DES and Skipjack Known Answer tests is also provided.

Legal


Final SP 800-18 Rev. 12/1/2006 Guide for Developing Security Plans for Federal Information Systems

Topic Audit & Accountability; Certification & Accreditation (C&A); Planning

Keyword Authorize processing; computer security; general support system; major application; management controls; operational

controls; rules of behavior; security plan; technical controls

Family Certification, Accreditation & Security Assessments; Planning

Abstract The objective of system security planning is to improve protection of information system resources. All federal systems have some level

of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system

security plan. The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130,

Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, and Title III of the

E-Government Act, entitled the Federal Information Security Management Act (FISMA), The purpose of the system security plan is to

provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those

requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.

The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security

protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information

owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the

basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document

are adequately covered and readily identifiable.

Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &

Minimum Security Requirements for Each Category;

Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;

OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated


Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-18-Rev.1

Final SP 800-19 10/1/1999 Mobile Agent Security

Topic Planning; Risk Assessment; Viruses & Malware

Keyword Computer security; mobile agent security

of 118



Family Final SP 800-19 10/1/1999 Access Control; Audit & Accountability; Planning; Risk Assessment; System & Communication Protection; System &

Information Integrity

Abstract Mobile agent technology offers a new computing paradigm in which a

program, in the form of a software agent, can suspend its execution on a host computer, transfer itself to another agent-

enabled host on the network, and resume execution on the new host. The use of mobile code has a long history dating

back to the use of remote job entry systems in the 1960's. Today's agent incarnations can be characterized in a number of

ways ranging from simple distributed objects to highly organized software with embedded intelligence. As the

sophistication of mobile software has increased over time, so too have the associated threats to security. This report

provides an overview of the range of threats facing the designers of agent platforms and the developers of agent-based

applications. The report also identifies generic security objectives, and a range of measures for countering the identified

threats and fulfilling these security objectives.

Legal


Final SP 800-20 3/1/2012 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures

Topic Cryptography

Keyword Automated testing; computer security; cryptographic algorithms; cryptography; Triple Data Encryption Algorithm (TDEA);

Triple Data Encryption Standard (TDES); Federal Information Processing Standard (FIPS); NVLAP; secret key

cryptography; validation.


Abstract The National Institute of Standards and Technology (NIST) Modes of Operation Validation System for the Triple Data

Encryption Algorithm (TMOVS) specifies the procedures involved in validating implementations of the Triple DES

algorithm in ANSI X9.52 - 1998, Triple Data Encryption Algorithm Modes of Operation. Successful completion of the tests

contained within the TMOVS is required to claim conformance to ANSI X9.52-1998.The TMOVS is designed to perform

automated testing on Implementations Under Test (IUTs). This publication provides a brief overview of the Triple DES

algorithm and introduces the basic design and configuration of the TMOVS. Included in this overview are the

specifications for the two categories of tests which make up the TMOVS, i.e., the Known Answer tests and the Modes

tests. The requirements and administrative procedures to be followed by those seeking formal NIST validation of an

implementation of the Triple DES algorithm are presented. The requirements described include the specific protocols for

communication between the IUT and the TMOVS, the types of tests which the IUT must pass for format NIST validation,

and general instruction for accessing and interfacing the TMOVS. An appendix with tables of values and results for the

TDES Known Answer tests is also provided.

Legal


Final SP 800-21 Second edition12/1/2005 Guideline for Implementing Cryptography in the Federal Government

Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Planning; Risk Assessment;

Services & Acquisitions

Keyword Cryptographic algorithm; cryptographic hash function; cryptographic key; cryptographic module; digital signature; key

establishment; key management; message authentication code

Family Contingency Planning; Incident Response; Planning; System & Communication Protection; System & Services Acquisition

of 118



Abstract Final SP 800-21 Second edition12/1/2005 This Second Edition of NIST Special Publication (SP) 800-21, updates and replaces the November 1999 edition of Guideline for

Implementing Cryptography in the Federal Government. Many of the references and cryptographic techniques contained in the first

edition of NIST SP 800-21 have been amended, rescinded, or superseded since its publication. The current publication offers new tools

and techniques. NIST SP 800-21 is intended to provide a structured, yet flexible set of guidelines for selecting, specifying, employing,

and evaluating cryptographic protection mechanisms in Federal information systems?and thus, makes a significant contribution toward

satisfying the security requirements of the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. The

current publication also reflects the elimination of the waiver process by the Federal Information Security Management Act (FISMA) of

2002.

SP 800-21 includes background information, describes the advantages of using cryptography; defines the role and use of standards

and describes standards organizations that are outside the Federal government; describes the methods that are available for symmetric

and asymmetric key cryptography; describes implementation issues (e.g., key management); discusses assessments, including the

Cryptographic Module Validation Program (CMVP), the Common Criteria (CC), and Certification and Accreditation (C&A); and describes

the process of choosing the types of cryptography to be used and selecting a cryptographic method or methods to fulfill a specific

requirement.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-21-2nd%20edition

Final SP 800-22 Rev. 1a4/1/2010 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications

Topic Cryptography

Keyword Random number generator; hypothesis test; P-value


Abstract This paper discusses some aspects of selecting and testing random and pseudorandom number generators. The outputs

of such generators may be used in many cryptographic applications, such as the generation of key material. Generators

suitable for use in cryptographic applications may need to meet stronger requirements than for other applications. In

particular, their outputs must be unpredictable in the absence of knowledge of the inputs. Some criteria for characterizing

and selecting appropriate generators are discussed in this document. The subject of statistical testing and its relation to

cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may be useful as a

first step in determining whether or not a generator is suitable for a particular cryptographic application. However, no set of

statistical tests can absolutely certify a generator as appropriate for usage in a particular application, i.e., statistical testing

cannot serve as a substitute for cryptanalysis. The design and cryptanalysis of generators is outside the scope of this

paper.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-22-Rev.%201a

Final SP 800-23 8/1/2000 Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products

Topic Certification & Accreditation (C&A); Risk Assessment

Keyword Assurance; computer security; evaluation; information assurance; IT security; security testing

Family Certification, Accreditation & Security Assessments; Risk Assessment; System & Services Acquisition

of 118



Abstract Final SP 800-23 8/1/2000 Computer security assurance provides a basis for one to have confidence that security measures, both technical and

operational, work as intended. Use of products with an appropriate degree of assurance contributes to security and

assurance of the system as a whole and thus should be an important factor in IT procurement decisions. Two Government

programs are of particular interest -- the National Information Assurance Partnership (NIAP)'s Common Criteria Evaluation

and Validation Program and NIST's Cryptographic Module Validation Program (CMVP). The NIAP program focuses on

evaluations of products (e.g., a firewall or operating system) against a set of security specifications. The CMVP program

focuses on security conformance testing of a cryptographic module against Federal Information Processing Standard 140-

1, Security Requirements for Cryptographic Modules and related federal cryptographic algorithm standards.

Legal


Final SP 800-24 4/1/2001 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does

Topic Communications & Wireless; Maintenance

Keyword Computer security; PBX; private branch exchange; telecommunications security

Family Access Control; Contingency Planning; Identification & Authentication; Maintenance; Media Protection; Physical &

Environmental Protection; Risk Assessment

Abstract This report presents a generic methodology for conducting an analysis of a Private Branch Exchange (PBX) in order to

identify security vulnerabilities. The report focuses on digital-based PBXs and addresses the following areas for study:

System Architecture; Hardware; Maintenance; Administrative Database/Software; and User Features. The methods

described in this report are designed to assist administrators in conducting this type of testing. Computer based telephony

systems and new techniques such as voice over IP (VOIP) present an entirely new collection of vulnerabilities and are not

addressed in this report. However, some of the evaluation methods described here may be applied to these systems as

well.

Legal


Final SP 800-25 10/1/2000 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication

Topic Authentication; Cryptography; Digital Signatures; PKI; Planning; Services & Acquisitions

Keyword Federal bridge CA; Government Paperwork Elimination Act; GPEA; guidance; PKI; public key infrastructure

Family Contingency Planning; Identification & Authentication; Planning; Risk Assessment; System & Communication Protection

of 118



Abstract Final SP 800-25 10/1/2000 This guidance document was developed by the Federal Public Key Infrastructure Steering Committee to assist Federal

agencies that are considering the use of public key technology for digital signatures or authentication over open networks

such as the Internet. This includes communications with other Federal or non-Federal entities, such as members of the

public, private firms, citizen groups, and state and local governments. Most public key technology applications for digital

signatures provide for user authentication as well. However, public key technology can be used for user authentication

only without digital signatures. Standards such as X.509 provide for that functionality.This document encourages the

thoughtful use of public key technology by Federal agencies as set forth in guidance published by the Office of

Management and Budget implementing the Government Paperwork Elimination Act (GPEA). It also amplifies upon

principles contained in the GPEA guidance and separately in Access with Trust issued in September 1998 by the Office of

Management and Budget, the National Partnership for Reinventing Government, and the Government Information

Technology Services Board. Finally, it discusses briefly the government-wide Public Key Infrastructure (PKI) which is

developing to enable applications programs to effectively use public key technology across Federal agencies.

Legal


Final SP 800-27 Rev. A6/1/2004 Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A

Topic General IT Security; Planning

Keyword Computer security; engineering principles; IT security; security baseline

Family Planning; System & Services Acquisition

Abstract The Engineering Principles for Information Technology (IT) Security (EP-ITS) presents a list of system-level security

principles to be considered in the design, development, and operation of an information system. This document is to be

used by IT security stakeholders and the principles introduced can be applied to general support systems and major

applications. EP-ITS presents principles that apply to all systems, not ones tied to specific technology areas. These

principles provide a foundation upon which a more consistent and structured approach to the design, development, and

implementation of IT security capabilities can be constructed. While the primary focus of these principles remains on the

implementation of technical countermeasures, these principles highlight the fact that, to be effective, a system security

design should also consider non-technical issues, such as policy, operational procedures, and user education.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-27-Rev.%20A

Final SP 800-28 Version 23/1/2008 Guidelines on Active Content and Mobile Code

Topic Risk Assessment; Viruses & Malware

Keyword Active content; email security; malware; mobile code; Web security

Family Access Control; Risk Assessment; System & Communication Protection; System & Information Integrity

of 118



Abstract Final SP 800-28 Version 23/1/2008 Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation,

to execute when the document is rendered. Like any technology, active content can be used to deliver essential services,

but it can also become a source of vulnerability for exploitation by an attacker. The purpose of this document is to provide

an overview of active content and mobile code technologies in use today and offer insights for making informed IT security

decisions on their application and treatment. The discussion gives details about the threats, technology risks, and

safeguards for end user systems, such as desktops and laptops. Although various end user applications, such as email

clients, can involve active content, Web browsers remain the primary vehicle for delivery and are underscored in the

discussion. The tenets presented for Web browsers apply equally well to other end user applications and can be inferred

directly.

Legal


Final SP 800-29 6/1/2001 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2

Topic Cryptography

Keyword Cryptographic modules; cryptography; cryptography security requirements; FIPS PUB 140-1; FIPS PUB 140-2


Abstract Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in

critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in

these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and

identification and authentication. A documented methodology for conformance testing through a defined set of security

requirements in FIPS 140-1 and FIPS 140-2 and other cryptographic standards is specified in the Derived Test

Requirements.FIPS 140-1 is one of NIST's most successful standards and forms the very foundation of the Cryptographic

Module Validation Program. FIPS 140-2 addresses lessons learned from questions and comments and reflects changes

in technology. The standard was strengthened, but not changed in focus or emphasis. Also, the standard was minimally

restructured to: standardize the language and terminology to add clarity and consistency; remove redundant and

extraneous information to make the standard more concise; and revise or remove vague requirements. Finally, a new

section was added detailing new types of attacks on cryptographic modules that currently do not have specific testing

available. This differences paper summarizes the changes from FIPS 140-1 to FIPS 140-2 and documents the detailed

requirements.

Legal


Final SP 800-30 Rev. 19/1/2012 Guide for Conducting Risk Assessments

Topic Audit & Accountability; Certification & Accreditation (C&A); Planning; Risk Assessment

Keyword Cost-benefit analysis; residual risk; risk; risk assessment; risk management; risk mitigation; security controls; threat

vulnerability

Family Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment; System &

Services Acquisition

Abstract The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information

systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all

three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior

leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.

of 118



Legal Final SP 800-30 Rev. 19/1/2012 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &


Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-30-Rev.%201

Final SP 800-32 2/26/2001 Introduction to Public Key Technology and the Federal PKI Infrastructure

Topic Authentication; Cryptography; Digital Signatures; PKI; Planning

Keyword Certificates; digital signatures; PKI; public key infrastructure

Family Identification & Authentication; Planning; Risk Assessment; System & Communication Protection

Abstract This publication was developed to assist agency decision-makers in determining if a PKI is appropriate for their agency,

and how PKI services can be deployed most effectively within a Federal agency. It is intended to provide an overview of

PKI functions and their applications. Additional documentation will be required to fully analyze the costs and benefits of

PKI systems for agency use, and to develop plans for their implementation. This document provides a starting point and

references to more comprehensive publications.

Legal


Final SP 800-33 12/1/2001 Underlying Technical Models for Information Technology Security


Keyword Computer security; information technology security; IT security; technical models


Abstract Underlying Technical Models for Information Technology Security provides a description of the technical foundations,

termed models, that underlie secure information technology (IT). The intent is to provide, in a concise form, the models

that should be considered in the design and development of technical security capabilities. These models encompass

lessons learned, good practices, and specific technical considerations.The intended audience consists of both

government and private sectors including: IT users desiring a better understanding of system security; engineers and

architects designing/building security capabilities; and those developing guidance for others to use in implementing

security capabilities.

Legal


Final SP 800-34 Rev. 111/11/2010 Contingency Planning Guide for Federal Information Systems

Topic Certification & Accreditation (C&A); Contingency Planning

Keyword Contingency Planning; Resilience; Information System Contingency Plan; Incident Response Plan; Disaster Recovery

Plan

Family Contingency Planning; Maintenance; Planning; Risk Assessment; System & Services Acquisition

Abstract This publication assists organizations in understanding the purpose, process, and format of information system

contingency planning development through practical, real-world guidelines. This guidance document provides background

information on interrelationships between information system contingency planning and other types of security and

emergency management-related contingency plans, organizational resiliency, and the system development life cycle. This

document provides guidance to help personnel evaluate information systems and operations to determine contingency

planning requirements and priorities.

of 118






Information Resources/Develop Contingency Plans & Procedures


Final SP 800-35 10/1/2003 Guide to Information Technology Security Services

Topic Planning; Services & Acquisitions

Keyword Computer security; information security; life cycle; outsourcing business case; security service; service level agreement;

service provider; total cost of ownership

Family Certification, Accreditation & Security Assessments; Configuration Management; System & Services Acquisition

Abstract Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to

maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from

security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by

a growing group of vendors. It is difficult and challenging to determine service provider capabilities, measure service

reliability and navigate the many complexities involved in security service agreements.This guide provides assistance with

the selection, implementation, and management of IT security services by guiding organizations through the various

phases of the IT security services life cycle. This life cycle provides a framework that enables the IT security decision

makers to organize their IT security effortsfrom initiation to closeout. The factors to be considered when selecting,

implementing, and managing IT security services include: the type of service arrangement; service provider qualifications,

operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and

the service provider's capability to deliver adequate protection for the organization systems, applications, and information.

Legal


Final SP 800-36 10/1/2003 Guide to Selecting Information Technology Security Products


Keyword Computer security; enterprise architecture; life cycle; products; security controls

Family Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Incident Response;

Media Protection; Risk Assessment; System & Communication Protection; System & Information Integrity; System &


Abstract The selection of IT security products is an integral part of the design, development and maintenance of an IT security

infrastructure that ensures confidentiality, integrity, and availability of mission critical information. The guide seeks to

assist in choosing IT security products that meet an organization's requirements. It should be used with other NIST

publications to develop a comprehensive approach to meeting an organization's computer security and information

assurance requirements. This guide defines broad security product categories, specifies product types within those

categories, and then provides a list of characteristics and pertinent questions an organization should ask when selecting a

product from within these categories.

Legal


Final SP 800-37 Rev. 12/1/2010 Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach


of 118



Keyword Final SP 800-37 Rev. 12/1/2010 Risk management framework; categorize; security controls; information systems; common controls; roles and

responsibilities; security authorization; continuous monitoring; FISMA

Family Certification, Accreditation & Security Assessments; Configuration Management; Planning; Program Management; Risk

Assessment

Abstract The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal

information systems to include conducting the activities of security categorization, security control selection and

implementation, security control assessment, information system authorization, and security control monitoring.





Information Resources/Certify & Accredit Systems


Final SP 800-38A 12/1/2001 Recommendation for Block Cipher Modes of Operation: Methods and Techniques


Keyword Computer security; cryptography; data security; block cipher; encryption;

mode of operation.


Abstract This recommendation defines five confidentiality modes of operation for use with an underlying symmetric key block

cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback

(OFB), and Counter (CTR). Used with an underlying block cipher algorithm that is approved in a Federal Information

Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer

data.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-A

800-38A Addendum10/1/2010 Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode


Keyword Block cipher; ciphertext stealing; cryptography; encryption; mode of operation


Abstract A limitation to Cipher Block Chaining (CBC) mode, as specified in NIST Special Publication 800-38A, is that the plaintext

input must consist of a sequence of blocks. Ciphertext stealing is a padding method in which the required padding bits are

"stolen" from the penultimate ciphertext block. This addendum to SP 800-38A specifies three variants of CBC mode with

ciphertext stealing. These variants, which differ only in the ordering of the ciphertext bits, can encrypt any input whose bit

length is greater than or equal to the block size. Unlike conventional padding methods, these variants do not expand the

length of the data.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-A%20-%20Addendum

Final SP 800-38B 5/1/2005 Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication


of 118



Keyword Final SP 800-38B 5/1/2005 Authentication; block cipher; cryptography; information security; integrity;

message authentication code; mode of operation.


Abstract This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher.

This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence,

the integrity of binary data.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-B

Final SP 800-38C 7/20/2007 Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality


Keyword Authenticated encryption; authentication; block cipher; confidentiality; cryptography; encryption; information security;

message authentication code; mode of operation


Abstract This Recommendation defines a mode of operation, called Counter with Cipher Block Chaining-Message Authentication

Code (CCM), for a symmetric key block cipher algorithm. CCM may be used to provide assurance of the confidentiality

and the authenticity of computer data by combining the techniques of the Counter (CTR) mode and the Cipher Block

Chaining-Message Authentication Code (CBC-MAC) algorithm.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-C

Final SP 800-38D 11/1/2007 Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC


Keyword Authenticated encryption; authentication; block cipher; confidentiality; cryptography; encryption; information security;

mode of operation.


Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with

associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not

encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-D

Final SP 800-38E 1/1/2010 Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices


Keyword Block cipher; ciphertext stealing; computer security; confidentiality; cryptography; encryption; information security mode of

operation; tweakable block cipher.


Abstract This publication approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one

additional requirement, as an option for protecting the confidentiality of data on storage devices. The mode does not

provide authentication of the data or its source.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-E

Final SP 800-38F 12/21/2012 Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping


of 118



Keyword Final SP 800-38F 12/21/2012 authenticated encryption; authentication; block cipher; computer security; confidentiality; cryptography; encryption;

information security; key wrapping; mode of operation


Abstract This publication describes cryptographic methods that are approved for “key wrapping,” i.e., the protection of the

confidentiality and integrity of cryptographic keys. In addition to describing existing methods, this publication specifies two

new, deterministic authenticated-encryption modes of operation of the Advanced Encryption Standard (AES) algorithm:

the AES Key Wrap (KW) mode and the AES Key Wrap With Padding (KWP) mode. An analogous mode with the Triple

Data Encryption Algorithm (TDEA) as the underlying block cipher, called TKW, is also specified, to support legacy

applications.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-F

DRAFT SP 800-38G 7/8/2013 Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption


Keyword block cipher; computer security; confidentiality; cryptography; encryption; Feistel structure; format-preserving encryption;

information security; mode of operation


Abstract This Recommendation specifies three methods for format-preserving encryption, called FF1, FF2, and FF3. Each of these

methods is a mode of operation of the AES algorithm, which is used to construct a round function within the Feistel

structure for encryption.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-G

Final SP 800-39 3/1/2011 Managing Information Security Risk: Organization, Mission, and Information System View

Topic Planning; Risk Assessment

Keyword Risk management; security; risk assessment; roles; responsibilities; organization; mission; information system; enterprise

risk management; continuous monitoring; joint task force transformation initiative

Family Program Management

Abstract The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for

managing information security risk to organizational operations (i.e., mission, functions, image, and reputation),

organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal

information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing information

security risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on

an ongoing basis provided by other supporting NIST security standards and guidelines. The guidance provided in this

publication is not intended to replace or subsume other risk-related activities, programs, processes, or approaches that

organizations have implemented or intend to implement addressing areas of risk management covered by other

legislation, directives, policies, programmatic initiatives, or mission/business requirements. Rather, the information

security risk management guidance described herein is complementary to and can be used as part of a more

comprehensive Enterprise Risk Management (ERM) program.




Information Resources/Assess Risks

of 118



Link Final SP 800-39 3/1/2011 http://csrc.nist.gov/publications/PubsSPs.html#SP-800-39

Final SP 800-40 Rev. 37/22/2013 Guide to Enterprise Patch Management Technologies

Topic Maintenance; Planning; Risk Assessment

Keyword information security; patch management; remediation; software patches; vulnerability management

Family Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Information Integrity

Abstract Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems.

This publication is designed to assist organizations in understanding the basics of enterprise patch management

technologies. It explains the importance of patch management and examines the challenges inherent in performing patch

management. It provides an overview of enterprise patch management technologies and it also briefly discusses metrics

for measuring the technologies’ effectiveness. Draft NIST SP 800-40 Revision 3 replaces the previous release (version 2),

which was published in 2005.

Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;


Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle


800-40 Version 2.011/1/2005 Creating a Patch and Vulnerability Management Program

Topic Maintenance; Planning; Risk Assessment; Viruses & Malware

Keyword Computer security; security patches; vulnerability management

Family Awareness & Training; Configuration Management; Planning; Risk Assessment

Abstract This document provides guidance on creating a security patch and vulnerability management program and testing the

effectiveness of that program. The primary audience is security managers who are responsible for designing and

implementing the program. However, this document also contains information useful to system administrators and

operations personnel who are responsible for applying patches and deploying solutions (i.e., information related to testing

patches and enterprise patching software).

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-40-Version%202.0

Final SP 800-41 Rev. 19/1/2009 Guidelines on Firewalls and Firewall Policy

Topic Audit & Accountability; Communications & Wireless; Planning

Keyword Firewall policy; firewalls; host-based firewalls; network firewalls; network security; packet filtering; perimeter security;

personal firewalls; proxies

Family Access Control; Audit & Accountability; Planning; System & Communication Protection

Abstract Firewalls are devices or programs that control the flow of network traffic between networks or hosts employing differing

security postures. This publication provides an overview of several types of firewall technologies and discusses their

security capabilities and their relative advantages and disadvantages in detail. It also makes recommendations for

establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions.

Legal Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure


of 118



Final SP 800-43 11/1/2002 Systems Administration Guidance for Securing Windows 2000 Professional System

Topic Maintenance; Planning

Keyword E-mail client; hardening; lock-down; Microsoft Windows 2000; operating system; patches; security; virus; web-browser

Family Access Control; Configuration Management; Contingency Planning; System & Information Integrity

Abstract The document is intended to assist the users and system administrators of Windows 2000 Professional systems in configuring their

hosts by providing configuration templates and security checklists. The guide provides detailed information about the security features of

Win2K Pro, security configuration guidelines for popular applications, and security configuration guidelines for the Win2K Pro operating

system. The guide documents the methods that the system administrators can use to implement each security setting recommended.

The principal goal of the document is to recommend and explain tested, secure settings for Win2K Pro workstations with the objective of

simplifying the administrative burden of improving the security of Win2K Pro systems. This guidance document also includes

recommendations for testing and configuring common Windows applications. The application types include electronic mail (e-mail)

clients, Web browsers, productivity applications, and antivirus scanners. This list is not intended to be a complete list of applications to

install on Windows 2000 Professional, nor does it imply NIST's endorsement of particular commercial off-the-shelf (COTS) products.

Many of the configuration recommendations for the tested Windows applications focus on deterring viruses, worms, Trojan horses, and

other types of malicious code. The guide presents recommendations to protect the Windows 2000 Professional system from malicious

code when the tested applications are being used.

Legal


Final SP 800-44 Version 29/1/2007 Guidelines on Securing Public Web Servers


Keyword Web server; Web server security

Family Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication; Planning;

System & Communication Protection

Abstract Web servers are often the most targeted and attacked hosts on organizations' networks. As a result, it is essential to

secure Web servers and the network infrastructure that supports them. This document is intended to assist organizations

in installing, configuring, and maintaining secure public Web servers. Practices described in detail include choosing Web

server software and platforms, securing the underlying operating system and Web server software, deploying appropriate

network protection mechanisms, and using, publicizing, and protecting information in a careful and systematic manner.

The publication also provides recommendations for maintaining secure configurations through patching and upgrades,

security testing, log monitoring, and backups of data and operating system files.

Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;

Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &






Final SP 800-45 Version 22/1/2007 Guidelines on Electronic Mail Security

of 118



Topic Final SP 800-45 Version 22/1/2007 Communications & Wireless

Keyword E-mail; electronic mail; FISMA

Family Access Control; Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication;

Planning; Risk Assessment; System & Communication Protection; System & Information Integrity

Abstract This document was developed in furtherance of NIST's statutory responsibilities under the Federal Information Security

Management Act (FISMA) of 2002, Public Law 107-347. The purpose of the publication is to recommend security

practices for designing, implementing, and operating email systems on public and private networks. It contains information

on popular email encryption standards and other standards relating to email. It presents general information on securing

mail servers' operating systems and specific guidance on securing mail server applications, protecting messages

traversing servers, and securing access to mailboxes. It also provides information regarding email client security and mail

server administration.

Legal


Final SP 800-46 Rev. 16/1/2009 Guide to Enterprise Telework and Remote Access Security

Topic Authentication; Communications & Wireless; Contingency Planning; General IT Security; Viruses & Malware

Keyword Mobile device security; remote access; remote access security; telework; telework security; virtual private networking

Family Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Media Protection; Risk

Assessment; System & Communication Protection; System & Information Integrity

Abstract Many organizations employees and contractors use enterprise telework technologies to perform work from external

locations. Most teleworkers use remote access technologies to interface with an organization's non-public computing

resources. The nature of telework and remote access technologies permitting access to protected resources from external

networks and often external hosts as well generally places them at higher risk than similar technologies only accessed

from inside the organization, as well as increasing the risk to the internal resources made available to teleworkers through

remote access. This publication provides information on security considerations for several types of remote access

solutions, and it makes recommendations for securing a variety of telework and remote access technologies. It also gives

advice on creating telework security policies.


Information Resources/Develop Contingency Plans & Procedures


Final SP 800-47 8/1/2002 Security Guide for Interconnecting Information Technology Systems

Topic Certification & Accreditation (C&A); General IT Security; Planning; Risk Assessment

Keyword Information systems security; interconnecting systems; IT security; system development life cycle

Family Certification, Accreditation & Security Assessments

of 118



Abstract Final SP 800-47 8/1/2002 The Security Guide for Interconnecting Information Technology Systems provides guidance for planning, establishing, maintaining, and

terminating interconnections between information technology (IT) systems that are owned and operated by different organizations. They

are consistent with the requirements specified in the Office of Management and Budget (OMB) Circular A-130, Appendix III, for system

interconnection and information sharing. A system interconnection is defined as the direct connection of two or more IT systems for the

purpose of sharing data and other information resources. The document describes benefits of interconnecting IT systems, defines the

basic components of an interconnection, identifies methods and levels of interconnectivity, and discusses potential security risks.

The document then presents a "life-cycle" approach for system interconnections, with an emphasis on security. Four phases are

addressed: a) Planning the interconnection: the organizations perform preliminary activities; examine technical, security, and

administrative issues; and form an agreement governing the management, operation, and use of the interconnection; b) Establishing

the interconnection: the organizations develop and execute a plan for establishing the interconnection, including implementing or

configuring security controls; c) Maintaining the interconnection: the organizations maintain the interconnection after it is established to

ensure that it operates properly and securely; and d) Disconnecting the interconnection: one or both organizations may terminate the

interconnection. The termination should be conducted in a planned manner to avoid disrupting the other party's system. In an

emergency, however, one or both organizations may choose to terminate the interconnection immediately.

The document provides recommended steps for completing each phase, emphasizing security measures to protect the systems and

shared data. The document also contains guides and samples for developing an Interconnection Security Agreement (ISA) and a

Memorandum of Understanding/Agreement (MOU/A). The ISA specifies technical and security requirements of the interconnection; the

MOU/A defines the responsibilities of the organizations. Finally, the document contains a guide for developing an Implementation Plan

to establish the interconnection.

Legal


Final SP 800-48 Rev. 17/1/2008 Guide to Securing Legacy IEEE 802.11 Wireless Networks

Topic Authentication; Communications & Wireless; General IT Security; Planning; Services & Acquisitions

Keyword IEEE 802.11; network security; wireless local area network; wireless networking

Family Access Control; Configuration Management; Identification & Authentication; Planning; System & Communication

Protection; System & Information Integrity; System & Services Acquisition

Abstract The purpose of this document is to provide guidance to organizations in securing their legacy Institute of Electrical and

Electronics Engineers (IEEE) 802.11 wireless local area networks (WLAN) that cannot use IEEE 802.11i. The document

provides an overview of legacy IEEE 802.11 WLAN standards, components, and architectural models. It discusses the

basics of WLAN security and examines the security capabilities provided by legacy IEEE 802.11 standards. The

document also discusses threats and vulnerabilities involving legacy IEEE 802.11 WLANs, explains common

countermeasures, and makes recommendations for their use.

Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;





Final SP 800-49 11/1/2002 Federal S/MIME V3 Client Profile

Topic Cryptography; Digital Signatures

Keyword Federal IT profile; interoperability of secure electronic mail; S/MIME profile; secure e-mail standards

Family Audit & Accountability; System & Communication Protection

of 118



Abstract Final SP 800-49 11/1/2002 The National Institute of Standards and Technology (NIST), Information Technology Laboratory, Computer Security

Division, has developed this S/MIME (Secure / Multipurpose Internet Mail Extensions) client profile as guidance in the

development and procurement of commercial-off-the-shelf (COTS) S/MIME-compliant products. This profile document

identifies requirements for a secure and interoperable S/MIME V3 client implementation. NIST is developing tests and

testing tools to determine the level of conformance of an S/MIME V3 client implementation with this profile.

Legal


Final SP 800-50 10/1/2003 Building an Information Technology Security Awareness and Training Program


Keyword Awareness; certification; design; develop; education; implement; maintain; metrics; training

Family Awareness & Training; Contingency Planning; Incident Response

Abstract NIST Special Publication 800-50, Building An Information Technology Security Awareness and Training Program,

provides guidance for building an effective information technology (IT) security program and supports requirements

specified in the Federal Information Security Management Act (FISMA) of 2002 and the Office of Management and

Budget (OMB) Circular A-130, Appendix III.The document identifies the four critical steps in the life cycle of an IT security

awareness and training program: 1) awareness and training program design (Section 3); 2) awareness and training

material development (Section 4); 3) program implementation (Section 5); and 4) post-implementation (Section 6).The

document is a companion publication to NIST Special Publication 800-16, Information Technology Security Training

Requirements: A Role- and Performance-Based Model. The two publications are complementary - SP 800-50 works at a

higher strategic level, discussing how to build an IT security awareness and training program, while SP 800-16 is at a

lower tactical level, describing an approach to role-based IT security training.




Final SP 800-51 Rev. 12/1/2011 Guide to Using Vulnerability Naming Schemes

Topic Audit & Accountability; General IT Security; Incident Response; Services & Acquisitions

Keyword Common Configuration Enumeration (CCE); Common Vulnerabilities and Exposures (CVE); security automation; security

configuration; Security Content Automation Protocol (SCAP); vulnerability naming; vulnerabilities

Family Audit & Accountability; Configuration Management; Incident Response; Risk Assessment; System & Services Acquisition

Abstract This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and

Exposures (CVE) and Common Configuration Enumeration (CCE). SP 800-51 Revision 1 gives an introduction to both

naming schemes and makes recommendations for end-user organizations on using their names. The publication also

presents recommendations for software and service vendors on how they should use vulnerability names and naming

schemes in their product and service offerings.

of 118



Legal Final SP 800-51 Rev. 12/1/2011 Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;




Final SP 800-52 Rev. 14/28/2014 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

Topic Communications & Wireless; Cryptography; General IT Security; PKI

Keyword information security; network security; SSL; TLS; Transport Layer Security


Abstract Transport Layer Security (TLS) provides mechanisms to protect sensitive data during electronic dissemination across the

Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations

while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic

algorithms, and requires that TLS 1.1 configured with FIPS-based cipher suites as the minimum appropriate secure

transport protocol and recommends that agencies develop migration plans to TLS 1.2 by January 1, 2015. This Special

Publication also identifies TLS extensions for which mandatory support must be provided and other recommended

extensions.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#800-52

Final SP 800-53 Rev. 35/1/2010 Recommended Security Controls for Federal Information Systems and Organizations

Topic Audit & Accountability; Authentication; Awareness & Training; Certification & Accreditation (C&A); Communications &

Wireless; Contingency Planning; Cryptography; General IT Security; Incident Response; Maintenance; Planning; Risk

Assessment; Services & Acquisitions; Viruses & Malware

Keyword Security controls; risk management framework; security control assurance; security requirements; common controls;

security control baselines; managing risk; FISMA





Abstract The objective of NIST SP 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security

requirements levied on information systems and organizations and that is consistent with and complementary to other

established information security standards. Revision 3 is the first major update since December 2005 and includes

significant improvements to the security control catalog.

of 118



Legal Final SP 800-53 Rev. 35/1/2010 E-Government Act of 2002/Mandates NIST Development of Security Standards;



Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure

& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;


OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning;




800-53 Rev. 41/15/2014 Security and Privacy Controls for Federal Information Systems and Organizations

Topic Audit & Accountability; Authentication; Awareness & Training; Certification & Accreditation (C&A); Communications &

Wireless; Contingency Planning; Cryptography; General IT Security; Incident Response; Maintenance; Planning; Risk

Assessment; Services & Acquisitions; Viruses & Malware

Keyword assurance; computer security; FIPS Publication 199; FIPS Publication 200; FISMA; Privacy Act; Risk Management

Framework; security controls; security requirements





Abstract This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for

selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets,

individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural

failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as

part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security

and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies,

directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of

controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the

catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms

provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security

functionality and assurance helps to ensure that information technology component products and the information systems built from

those products using sound system and security engineering principles are sufficiently trustworthy.

of 118



Legal Final SP 800-53 Rev. 41/15/2014 E-Government Act of 2002/Mandates NIST Development of Security Standards;






OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning;




Final SP 800-53A Rev. 16/1/2010 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security

Assessment Plans

Topic Audit & Accountability; Certification & Accreditation (C&A)

Keyword FISMA; security controls; risk management; categorization; security assessment plans; assurance requirements;

attributes; 800-53

Family Certification, Accreditation & Security Assessments; Program Management; Risk Assessment

Abstract Special Publication 800-53A, Revision 1 provides guidelines for developing security assessment plans and associated security control

assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal

Information Systems and Organizations, August 2009 (including updates as of 05-01-2010). NIST has been working in partnership with

the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security

Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The updated

security assessment guideline incorporates best practices in information security from the United States Department of Defense,

Intelligence Community, and Civil agencies and includes security control assessment procedures for both national security and non

national security systems. The guideline for developing security assessment plans is intended to support a wide variety of assessment

activities in all phases of the system development life cycle including development, implementation, and operation. The important

changes described in Special Publication 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near

real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely

affect organizational operations and assets, individuals, other organizations, and the Nation. The increased flexibility in the selection of

assessment methods, assessment objects, and depth and coverage attribute values empowers organizations to place the appropriate

emphasis on the assessment process at every stage in the system development life cycle.


Minimum Security Requirements for Each Category

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-53-A%20Rev.%201

Final SP 800-54 7/1/2007 Border Gateway Protocol Security

Topic Communications & Wireless; Planning

Keyword BGP; Border Gateway Protocol; computer security; routers

Family Configuration Management; Planning; System & Communication Protection

of 118



Abstract Final SP 800-54 7/1/2007 This document introduces the Border Gateway Protocol (BGP), explains its importance to the internet, and provides a set

of best practices that can help in protecting BGP. Best practices described here are intended to be implementable on

nearly all currently available BGP routers. While a number of enhanced protocols for BGP have been proposed, these

generally require substantial changes to the protocol and may not interoperate with current BGP implementations. To

improve the security of BGP routers, the recommendations listed below are introduced. While the recommendations can

contribute to greatly improved BGP security, they are not a complete defense against all threats. Security administrators

and decision makers should select and apply these methods based on their unique needs.


Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;







Final SP 800-55 Rev. 17/1/2008 Performance Measurement Guide for Information Security

Topic Audit & Accountability; Certification & Accreditation (C&A); Maintenance; Planning

Keyword Information Security; Metrics; Measures; Security Controls; Performance; Reports

Family Certification, Accreditation & Security Assessments; Maintenance; Planning; Program Management

Abstract This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place

security controls, policies, and procedures. It provides an approach to help management decide where to invest in

additional security protection resources or identify and evaluate nonproductive controls. It explains the metric

development and implementation process and how it can also be used to adequately justify security control investments.

The results of an effective metric program can provide useful data for directing the allocation of information security

resources and should simplify the preparation of performance-related reports.

Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning


Final SP 800-56A Rev. 25/15/2013 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography

Topic Cryptography

Keyword Diffie-Hellman; elliptic curve cryptography; finite field cryptography; key-agreement; key-confirmation; key derivation; key

establishment; key-transport; MQV


of 118



Abstract Final SP 800-56A Rev. 25/15/2013 This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields

and elliptic curves, including several variations of Diffie-Hellman and Menezes-Qu-Vanstone(MQV) key establishment

schemes.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-A%20Rev.%202

DRAFT SP 800-56B Rev. 13/12/2014 Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography

Topic Cryptography

Keyword assurances; integer factorization cryptography; key agreement; key confirmation; key derivation; key-establishment; key

management; key recovery; key-transport


Abstract This Recommendation specifies key-establishment schemes using integer factorization cryptography, based on ANS

X9.44, Key-establishment using Integer Factorization Cryptography [ANS X9.44], which was developed by the Accredited

Standards Committee (ASC) X9, Inc.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-B%20Rev.%201

Final SP 800-56B 8/1/2009 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography

Topic Cryptography

Keyword Assurances; integer factorization cryptography; key agreement; key confirmation; key derivation; key establishment; key

management; key recovery; key transport.


Abstract This Recommendation specifies key establishment schemes using integer factorization cryptography, based on ANS

X9.44, Key Establishment using Integer Factorization Cryptography, which was developed by the Accredited Standards

Committee (ASC) X9, Inc.

Legal


Final SP 800-56C 11/1/2011 Recommendation for Key Derivation through Extraction-then-Expansion

Topic Cryptography

Keyword Key derivation; extraction; expansion


Abstract This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a

key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-

expansion procedure.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-C

Final SP 800-57 Part 1 Rev. 37/1/2012 Recommendation for Key Management, Part 1: General (Revision 3)


Keyword Assurances; authentication; authorization; availability; backup; compromise; confidentiality; cryptanalysis; cryptographic

key; cryptographic module; digital signature; hash function; key agreement; key management; key management policy;

key recovery; key transport; originator usage period; private key; public key; recipient usage period; secret key; split

knowledge; trust anchor.

Family Access Control; Audit & Accountability; Contingency Planning; Media Protection; Planning; System & Communication

Protection; System & Information Integrity

of 118



Abstract Final SP 800-57 Part 1 Rev. 37/1/2012 This Recommendation provides cryptographic key management guidance. It consists of three

parts. Part 1 provides general guidance and best practices for the management of cryptographic

keying material. Part 2 provides guidance on policy and security planning requirements for U.S.

government agencies. Finally, Part 3 provides guidance when using the cryptographic features of

current systems.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-57-Part%201

Final SP 800-57 Part 28/1/2005 Recommendation for Key Management, Part 2: Best Practices for Key Management Organization


Keyword Accreditation; certification; cryptographic key; digital signature; key management; key management policy; public key;

public key infrastructure; security plan



Abstract This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides

general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on

policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the

cryptographic features of current systems.

Legal


Final SP 800-57 Part 312/1/2009 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance


Keyword Accreditation; assurances; authentication; authorization; availability; backup; certification; compromise; confidentiality;

cryptanalysis; cryptographic key; cryptographic module; digital signature; key management; key management policy; key

recovery; private key; public key; public key infrastructure; security plan; trust anchor; validation



Abstract This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides

general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on

policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the

cryptographic features of current systems.

Legal


Final SP 800-58 1/1/2005 Security Considerations for Voice Over IP Systems

Topic Communications & Wireless; Services & Acquisitions

Keyword Telecommunications security; Voice Over Internet Protocol; VOIP; vulnerabilities

Family Access Control; Physical & Environmental Protection; Planning; System & Communication Protection

of 118



Abstract Final SP 800-58 1/1/2005 Voice over Internet Protocol (VOIP) refers to the transmission of speech across data-style networks. This form of

transmission is conceptually superior to conventional circuit switched communication in many ways. However, a plethora

of security issues are associated with still-evolving VOIP technology. This publication introduces VOIP, its security

challenges, and potential countermeasures for VOIP vulnerabilities.

Legal


Final SP 800-59 8/1/2003 Guideline for Identifying an Information System as a National Security System

Topic Certification & Accreditation (C&A)

Keyword Computer security; national security systems

Family Risk Assessment

Abstract This document provides guidelines developed in conjunction with the Department of Defense, including the National Security Agency,

for identifying an information system as a national security system. The basis for these guidelines is the Federal Information Security

Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide requirements for

information security, superseding the Government Information Security Reform Act and the Computer Security Act. In addition to

defining the term national security system FISMA amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide

guidelines for identifying an information system as a national security system. As stated in the House Committee report, "This guidance

is not to govern such systems, but rather to ensure that agencies receive consistent guidance on the identification of systems that

should be governed by national security system requirements" (Report of the Committee on Government Reform, U. S House of

Representatives, Report 107-787, November 14, 2002, p. 85). Accordingly, the purpose of these guidelines is not to establish

requirements for national security systems, but rather to assist agencies in determining which, if any, of their systems are national

security systems as defined by FISMA and are to be governed by applicable requirements for such systems, issued in accordance with

law and as directed by the President. The guideline includes definitions of relevant terms, the legal or administrative basis for the

definitions, a checklist to be used in determining whether or not a system is a national security system, and guidelines for completion of

the checklist.

Legal Federal Information Security Management Act of 2002 (FISMA)/Identification of an Information System as a National

Security System;



Final SP 800-60 Rev. 18/1/2008 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories; Volume II:

Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories

Topic Certification & Accreditation (C&A); Risk Assessment

Keyword Computer security; cyber security; FISMA; categorization; information type; security category

Family Program Management; Risk Assessment

Abstract Title III of the E-Government Act, titled the Federal Information Security Management Act (FISMA) of 2002, tasked NIST

to develop (1) standards to be used by all Federal agencies to categorize information and information systems collected or

maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security

according to a range of risk levels; and (2) guidelines recommending the types of information and information systems to

be included in each such category. Special Publication 800-60 was issued in response to the second of these tasks. The

revision to Volume I contains the basic guidelines for mapping types of information and information systems to security

categories. The appendices contained in Volume I include security categorization recommendations and rationale for

mission-based and management and support information types.

of 118







Final SP 800-61 Rev. 28/1/2012 Computer Security Incident Handling Guide

Topic Incident Response; Maintenance; Risk Assessment; Viruses & Malware

Keyword Computer security incident; incident handling; incident response; threats; vulnerabilities

Family Incident Response; System & Information Integrity

Abstract Computer security incident response has become an important component of information technology (IT) programs.

Because performing incident response effectively is a complex undertaking, establishing a successful incident response

capability requires substantial planning and resources. This publication assists organizations in establishing computer

security incident response capabilities and handling incidents efficiently and effectively. This publication provides

guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response

to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems,

protocols, or applications.

Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents


Final SP 800-63-2 8/29/2013 Electronic Authentication Guideline

Topic Authentication; Cryptography; PKI

Keyword authentication; authentication assurance; credential service provider; electronic

authentication; electronic credentials; identity proofing; passwords; PKI; tokens

Family Identification & Authentication

Abstract This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not

intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote

authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems

over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing,

registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes

NIST SP 800-63-1.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63--2

Final SP 800-64 Rev. 210/1/2008 Security Considerations in the System Development Life Cycle


Keyword Computer Security; Cyber Security; FISMA; SDLC; System Development


of 118



Abstract Final SP 800-64 Rev. 210/1/2008 The purpose of this guideline is to assist agencies in building security into their IT development processes. This should

result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses

on the information security components of the System Development Life Cycle (SDLC). Overall system implementation

and development is considered outside the scope of this document. Also considered outside scope is an organization’s

information system governance process.

First, the guideline describes the key security roles and responsibilities that are needed in development of most

information systems. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with

the SDLC process to understand the relationship between information security and the SDLC.




DRAFT SP 800-65 Rev. 17/14/2009 Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process


Keyword



Abstract SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing

guidance on selecting, managing, and evaluating information security investments and accounting for information security

in all IT investments.



Final SP 800-65 1/1/2005 Integrating IT Security into the Capital Planning and Investment Control Process

Topic Services & Acquisitions

Keyword Capital planning and investment control; CPIC; FISMA; IT security investments



Abstract Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have

been performed independently by security and capital planning practitioners. However, the Federal Information Security

Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two

activities. In addition, with increased competition for limited federal budgets and resources, agencies must ensure that

available funding is applied towards the agencies' highest priority IT security investments. Applying funding towards high-

priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-

wide and system level, commensurate with levels of risk and data sensitivity. This special publication introduces common

criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual

FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective

manner.



of 118



Final SP 800-66 Rev. 110/1/2008 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)

Security Rule

Topic Awareness & Training; Services & Acquisitions

Keyword Information Security; Healthcare; HIPAA; security Rule


Contingency Planning; Identification & Authentication; Incident Response; Media Protection; Personnel Security; Physical

& Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information

Integrity; System & Services Acquisition

Abstract Special Publication 800-66 Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Probability and

Accountability Act (HIPAA) Security Rule, which discusses security considerations and resources that may provide value

when implementing the requirements of the HIPAA Seucurity Rule, was written to help educate readers about information

security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards

set out itn the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA

Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule.

This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.

Legal Health Insurance Portability and Accountability Act (HIPAA)/Standardize Electronic Data Interchange in Health Care

Transactions


Final SP 800-67 Rev. 11/1/2012 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher

Topic Cryptography

Keyword Block cipher; computer security; cryptography; data encryption algorithm; security; triple data encryption algorithm


Abstract This publication specifies the Triple Data Encryption Algorithm (TDEA), including its primary component cryptographic

engine, the Data Encryption Algorithm (DEA). When implemented in an SP 800-38-series-compliant mode of operation

and in a FIPS 140-2-compliant cryptographic module, TDEA may be used by Federal organizations to protect sensitive

unclassified data. Protection of data during transmission or while in storage may be necessary to maintain the

confidentiality and integrity of the information represented by the data. This Recommendation defines the mathematical

steps required to cryptographically protect data using TDEA and to subsequently process such protected data. TDEA is

made available for use by Federal agencies within the context of a total security program consisting of physical security

procedures, good information management practices, and computer system/network access controls.

Legal


Final SP 800-68 Rev. 110/1/2008 Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist

Topic Audit & Accountability; Authentication; Maintenance

Keyword Federal Desktop Core Configuration; host security; Windows security; Windows XP security

of 118



Family Final SP 800-68 Rev. 110/1/2008 Access Control; Audit & Accountability; Configuration Management; Identification & Authentication; Maintenance; System

& Communication Protection; System & Information Integrity; System & Communication Protection

Abstract This publication assists IT professionals in securing Windows XP workstations, mobile computers, and computers used by

telecommuters within various environments. The recommendations are specifically intended for Windows XP Professional

systems running Service Pack 2 or 3. SP 800-68 Revision 1 provides detailed information about the security features of

Windows XP and security configuration guidelines. The publication recommends and explains tested, secure settings with

the objective of simplifying the administrative burden of improving the security of Windows XP systems in five types of

environments: small office/home office, enterprise, specialized security-limited functionality, legacy, and Federal Desktop

Core Configuration (FDCC).




Final SP 800-69 9/1/2006 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist

Topic Maintenance

Keyword Microsoft Windows; telecommuting; Windows XP; Windows XP Home Edition

Family

Abstract The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory

responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. This

publication seeks to assist information technology (IT) professionals who may be responsible for securing Windows XP

Home Edition computers within home offices for their organizations. Portions of the publication can also be used by home

users, such as telecommuting Federal civilian agency employees and private sector organizations or individuals, to

secure their personal Windows XP Home Edition computers from common threats such as malware and to keep their

computers secure.

Legal


Final SP 800-70 Rev. 22/1/2011 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers

Topic Security Automation

Keyword Checklists; baseline; security configuration; security measurement; vulnerability measurement; vulnerability scoring

Family Configuration Management; System & Communication Protection

Abstract Special Publication 800-70 Revision 2, National Checklist Program for IT Products Guidelines for Checklist Users and

Developers, describes security configuration checklists and their benefits, and it explains how to use the NIST National

Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and

general requirements for participation in the NCP. SP 800-70 Revision 2 updates the previous version of the document,

which was released in 2009, primarily by adding additional SCAP-oriented guidance and content related to the United

States Government Configuration Baseline (USGCB).

of 118








Final SP 800-72 11/1/2004 Guidelines on PDA Forensics

Topic Forensics

Keyword Computer forensics; digital evidence; mobile device security

Family Audit & Accountability; Identification & Authentication; Media Protection

Abstract Forensic specialists periodically encounter unusual devices and new technologies normally not envisaged as having

immediate relevance from a digital forensics perspective. The objective of the guide is twofold: to help organizations

evolve appropriate policies and procedures for dealing with Personal Digital Assistants (PDAs), and to prepare forensic

specialists to deal with new situations when they are encountered. This guide provides an in-depth look into PDAs and

explains associated technologies and their impact on the procedures for forensic specialists. It covers the characteristics

of three families of devices: Pocket PC, Palm OS, and Linux based PDAs and the relevance of various operating systems

associated.

Legal


DRAFT SP 800-73-4 5/13/2013 Interfaces for Personal Identity Verification

Topic Authentication; Biometrics; Cryptography; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards

Keyword authentication; FIPS 201; identity credential; logical access control; on-card biometric comparison; Personal Identity

Verification (PIV); physical access control; smart cards; secure messaging

Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection

Abstract FIPS 201 defines the requirements and characteristics of a government-wide interoperable identity credential. FIPS 201

also specifies that this identity credential must be stored on a smart card. This document, SP 800-73, contains the

technical specifications to interface with the smart card to retrieve and use the PIV identity credentials. The specifications

reflect the design goals of interoperability and PIV Card functions. The goals are addressed by specifying a PIV data

model, card edge interface, and application programming interface. Moreover, this document enumerates requirements

where the international integrated circuit card standards [ISO7816] include options and branches. The specifications go

further by constraining implementers’ interpretations of the normative standards. Such restrictions are designed to ease

implementation, facilitate interoper ability, and ensure performance, in a manner tailored for PIV applications.

Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure

& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors

Link http://csrc.nist.gov/publications/PubsDrafts.html#800-73-4

of 118



Final SP 800-73-3 2/1/2010 Interfaces for Personal Identity Verification

Topic Authentication; Biometrics; Cryptography; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards

Keyword HSPD-12; PIV; PACS; FIPS 201; PIV authentication mechanisms; Smart Card


Abstract FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, defines procedures for the PIV

lifecycle activities including identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201 also

specifies that the identity credentials must be stored on a smart card. SP 800-73-3 contains the technical specifications to

interface with the smart card to retrieve and use the identity credentials. The specifications reflect the design goals of

interoperability and PIV Card functions. The goals are addressed by specifying a PIV data model, card edge interface, and

application programming interface. Moreover, SP 800-73-3 enumerates requirements where the standards include options

and branches.




Final SP 800-76-1 1/1/2007 Biometric Data Specification for Personal Identity Verification

Topic Biometrics; Personal Identity Verification (PIV)

Keyword Conformance Test; SP 800-73; Personal Identity Verification; Derived Test Requirement; Test Assertions

Family Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Physical &

Environmental Protection; System & Services Acquisition

Abstract This document, Special Publication 800-76, is a companion document to FIPS 201, Personal Identity Verification (PIV) of

Federal Employees and Contractors. It describes technical acquisition and formatting specifications for the biometric

credentials of the PIV system, including the PIV Card itself. It enumerates procedures and formats for fingerprints and

facial images by restricting values and practices included generically in published biometric standards. The primary

design objective behind these particular specifications is high performance universal interoperability. For the preparation

of biometric data suitable for the Federal Bureau of Investigation (FBI) background check, SP 800-76 references FBI

documentation, including the ANSI/NIST Fingerprint Standard and the Electronic Fingerprint Transmission Specification.

This document does not preclude use of other biometric modalities in conjunction with the PIV card.






800-76-2 7/11/2013 Biometric Specifications for Personal Identity Verification

Topic Biometrics; Personal Identity Verification (PIV)

Keyword biometrics; credentials; identity management

of 118



Family Final SP 800-76-2 7/11/2013 Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Physical &

Environmental Protection; System & Services Acquisition

Abstract Homeland Security Presidential Directive HSPD-12, Policy for a Common Identification Standard for Federal Employees and

Contractors [HSPD-12], called for new standards to be adopted governing interoperable use of identity credentials to allow physical and

logical access to Federal government locations and systems. The Personal Identity Verification (PIV) standard for Federal Employees

and Contractors, Federal Information Processing Standard Personal Identity Verification (PIV) of Federal Employees and Contractors

(FIPS 201), was developed to define procedures and specifications for issuance and use of an interoperable identity credential. This

document, Special Publication 800-76 (SP 800-76), is a companion document to FIPS 201. It describes technical acquisition and

formatting specifications for the PIV system, including the PIV Card itself. It also establishes minimum accuracy specifications for

deployed biometric authentication processes. The approach is to enumerate procedures and formats for collection and preparation of

fingerprint, iris and facial data, and to restrict values and practices included generically in published biometric standards. The primary

design objective behind these particular specifications is to enable high performance and universal interoperability. The introduction of

iris and face specifications into the current edition adds alternative modalities for biometric authentication and extends coverage to

persons for whom fingerprinting is problematic. The addition of on-card comparison offers an alternative to PIN-mediated card activation

as well as an additional authentication method.






Final SP 800-77 12/1/2005 Guide to IPsec VPNs

Topic Communications & Wireless

Keyword IPsec; network security; virtual private network; VPN

Family Access Control; Identification & Authentication; Maintenance; System & Communication Protection

Abstract IPsec is a framework of open standards for ensuring private communications over public networks. It has become the most common

network layer security control, typically used to create a virtual private network (VPN). A VPN is a virtual network, built on top of existing

physical networks, that can provide a secure communications mechanism for data and control information transmitted between

networks. VPNs are used most often to protect communications carried over public networks such as the Internet. A VPN can provide

several types of data protection, including confidentiality, integrity, data origin authentication, replay protection and access control.

Although VPNs can reduce the risks of networking, they cannot totally eliminate them. This document discusses the need for network

layer security and introduces the concept of virtual private networking (VPN). It covers the fundamentals of IPsec, focusing on its primary

components: the Encapsulating Security Payload (ESP), the Authentication Header (AH), and the Internet Key Exchange (IKE). It

describes issues to be considered during IPsec planning and implementation. It also discusses several alternatives to IPsec and

describes when each method may be appropriate. Several case studies are presented, that show how IPsec could be used in various

scenarios. It ends with a brief discussion of future directions for IPsec. The document contains an IPsec-related bibliography and lists of

print and online resources and tools that may be useful for IPsec planning and implementation.

Legal


DRAFT SP 800-78-4 5/13/2013 Cryptographic Algorithms and Key Sizes for Personal Identity Verification

Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart

Cards

of 118



Keyword DRAFT SP 800-78-4 5/13/2013 cryptographic algorithm; FIPS 201; identity credential; Personal Identity Verification (PIV); smart cards


Abstract Federal Information Processing Standard 201 (FIPS 201) defines requirements for the PIV lifecycle activities including

identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201 also defines the structure of an identity

credential that includes cryptographic keys. This document contains the technical specifications needed for the mandatory

and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and

the related Special Publication 800-73,Interfaces for Personal Identity Verification [SP800-73], and SP 800-76,Biometric

Data Specification for Personal Identity Verification [SP800-76], that rely on cryptographic functions.







Link http://csrc.nist.gov/publications/PubsDrafts.html#800-78-4

Final SP 800-78-3 12/1/2010 Cryptographic Algorithms and Key Sizes for Personal Identification Verification

Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart

Cards

Keyword PIV; FIPS 201; HSPD-12; Cryptography; digital signature; authentication; Personal Identity Verification; PIV


Abstract This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified

in FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, as well as the supporting

infrastructure specified in FIPS 201 and the related Special Publication 800-73, Interfaces for Personal Identity

Verification, and SP 800-76, Biometric Data Specification for Personal Identity Verification, that rely on cryptographic

functions.








Final SP 800-79-1 6/1/2008 Guidelines for the Accreditation of Personal Identity Verification Card Issuers

Topic Personal Identity Verification (PIV); Services & Acquisitions

of 118



Keyword Final SP 800-79-1 6/1/2008 Accreditation; credentials; HSPD-12; PCI; Personal Identity Verification; PIV; security assessment


Abstract The purpose of this publication is to provide appropriate and useful guidelines for accrediting the reliability of issuers of

Personal Identity Verification cards that are established to collect, store, and disseminate personal identity credentials and

issue smart cards, based on the standards published in response to Homeland Security Presidential Directive 12 (HSPD-

12). These issuers, who are the target of assessment and accreditation, are called Personal Identity Verification Card

Issuers or PCIs. The reliability of PCIs is of utmost importance when one organization (e.g., a Federal agency or Federal

contractor) is required to trust the identity credentials and cards of individuals that were created and issued, respectively,

by another organization. This trust will only exist if organizations relying on the credentials and cards issued by a given

organization have the necessary level of assurance that the reliability of the issuing organization has been established

through a formal accreditation process.

This publication provides an assessment and accreditation methodology for verifying that issuers of PIV credentials and

cards are reliably adhering to standards and implementation directives developed under HSPD-12.




Final SP 800-81 Rev. 14/1/2010 Secure Domain Name System (DNS) Deployment Guide


Keyword Checklists; denial of service; DNS; DNS Security Extensions; DNSSEC; Domain Name System; information system

security; Internet Protocol (IP); risks; vulnerabilities

Family Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Planning; System &

Communication Protection

Abstract This document provides deployment guidelines for securing the Domain Name System (DNS) in any enterprise a

government agency or a corporate entity. The deployment guidelines follow from an analysis of security objectives and

consequent protection approaches for all DNS components. This document was originally published in May 2006. Since

then the following IETF RFCs , FIPS and NIST Cryptographic guidance documents have been published and this revision

takes into account the specifications and recommendations found in those documents - DNNSEC Operational Practices

(RFC 4641), Automated Updates for DNS Security (DNSSEC) Trust Anchors (RFC 5011), DNS Security

(DNSSEC)Hashed Authenticated Denial of Existence (RFC 5155), HMAC SHA TSIG Algorithm Identifiers (RFC 4635),

The Keyed-Hash Message Authentication Code (HMAC) (FIPS 198-1), Digital Signature Standard (FIPS 186-3) and

Recommendations for Key Management (SP 800-57P1 & SP 800-57P3). In addition this revision provides illustrations of

Secure configuration examples using DNS Software offering NSD, in addition to BIND, guidelines on Procedures for

migrating to a new Cryptographic Algorithm for signing of the Zone (Section 11.5), guidelines for Procedures for migrating

to NSEC3 specifications from NSEC for providing authenticated denial of existence (Section 11.6) and deployment

guidelines for Split-Zone under different scenarios (Section 11.7).

Legal


800-81-2 9/13/2013 Secure Domain Name System (DNS) Deployment Guide


Keyword Authoritative Name Server; Caching Name Server; Domain Name System (DNS); DNS Query/Response; DNS Security

Extensions (DNSSEC); Resource Record (RR); Trust Anchor; Validating Resolver

of 118



Family Final SP 800-81-2 9/13/2013 Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Planning; System &


Abstract The Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-

friendly domain names rather than IP addresses, by translating domain names to IP addresses and back. The DNS

infrastructure is made up of computing and communication entities called Name Servers each of which contains

information about a small portion of the domain name space. The domain name data provided by DNS is intended to be

available to any computer located anywhere in the Internet.This document provides deployment guidelines for securing

DNS within an enterprise. Because DNS data is meant to be public, preserving the confidentiality of DNS data. The

primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of

domain name information and maintain the integrity of domain name information in transit. This document provides

extensive guidance on maintaining data integrity and performing source authentication. DNS components are often

subjected to denial-of-service attacks intended to disrupt access to the resources whose domain names are handled by

the attacked DNS components. This document presents guidelines for configuring DNS deployments to prevent many

denial-of-service attacks that exploit vulnerabilities in various DNS components.

Legal


Final SP 800-82 Rev. 15/14/2013 Guide to Industrial Control Systems (ICS) Security

Topic Cyber-Physical Systems & Smart Grid; Risk Assessment

Keyword computer security; distributed control systems (DCS); industrial control systems (ICS); information security; network

security; programmable logic controllers (PLC); risk management; security controls; supervisory control and data

acquisition (SCADA) systems

Family

Abstract This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and

Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as

Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements.

The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to

these systems, and provides recommended security countermeasures to mitigate the associated risks.



Final SP 800-83 Rev. 17/22/2013 Guide to Malware Incident Prevention and Handling for Desktops and Laptops

Topic Incident Response; Maintenance; Viruses & Malware

Keyword incident response; information security; malware

Family Access Control; Audit & Accountability; Configuration Management; Contingency Planning; Incident Response; Risk

Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition

of 118



Abstract Final SP 800-83 Rev. 17/22/2013 Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent

to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability

of the victim’s data, applications, or operating system. Malware is the most common external threat to most hosts, causing

widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This

publication provides recommendations for improving an organization’s malware incident prevention measures. It also

gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better

prepared to handle malware incidents, particularly widespread ones.



Final SP 800-84 9/1/2006 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities

Topic Certification & Accreditation (C&A); Contingency Planning; Incident Response; Maintenance; Risk Assessment

Keyword Contingency plan; exercise; FISMA; incident response plan; test; training and exercise

Family



publication seeks to assist organizations in designing, developing, conducting, and evaluating test, training, and exercise

(TT&E) events in an effort to aid personnel in preparing for adverse situations involving information technology (IT). The

events are designed to train personnel, exercise IT plans, and test IT systems, so that an organization can maximize its

ability to prepare for, respond to, manage, and recover from disasters that may affect its mission. The guide describes the

design, development, conduct, and evaluation of events for single organizations, as opposed to large-scale events that

may involve multiple organizations.



Final SP 800-85A-2 7/1/2010 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance)

Topic Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards

Keyword PIV; HSPD-12; Smart Cards; Identity Management; Testing; SP 800-73-3

Family Certification, Accreditation & Security Assessments; System & Information Integrity; System & Services Acquisition

Abstract The objective of this document is to provide test requirements and test assertions that could be used to validate the

compliance/conformance of two PIV components: PIV middleware and PIV card application with the specification in NIST

SP 800-73-3, Interfaces for Personal Identity Verification.



Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-A-2

DRAFT SP 800-85B-1 9/1/2009 PIV Data Model Test Guidelines


of 118



Keyword DRAFT SP 800-85B-1 9/1/2009


Abstract A robust testing framework and guidelines to provide assurance that a particular component or system is compliant with

FIPS201 and supporting standards should exist to build the necessary PIV infrastructure to support common unified

processes and systems for government-wide use. NIST developed test guidelines in two parts. The first part addresses

test requirements for the interface to the PIV card, which are provided in NIST Special Publication 800-85 (SP80085A).

The second part provides test requirements for the PIV data model and is provided in this document. This document

specifies the derived test requirements, and the detailed test assertions and conformance tests for testing the PIV data

model.



Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-B-1

Final SP 800-85B 7/1/2006 PIV Data Model Test Guidelines


Keyword Personal Identity Verification; PIV Card; HSPD-12; FIPS 201; PIV Data Model Testing; Smart Card


Abstract In order to build the necessary PIV infrastructure to support common unified processes and government-wide use of

identity credentials, NIST developed this test guidance document that ensures interoperability of PIV data. This document

provides test requirements for the PIV data model. This test guidance document specifies the test plan, processes,

derived test requirements, and the detailed test assertions / conformance tests for testing the PIV data model.




Final SP 800-86 8/1/2006 Guide to Integrating Forensic Techniques into Incident Response

Topic Forensics; Incident Response

Keyword FISMA; Forensics; Incident Response

Family Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication; Media

Protection; Physical & Environmental Protection; System & Information Integrity

of 118



Abstract Final SP 800-86 8/1/2006 This publication is intended to help organizations in investigating computer security incidents and troubleshooting some

information technology (IT) operational problems by providing practical guidance on performing computer and network

forensics. The guide presents forensics from an IT view, not a law enforcement view. Specifically, the publication

describes the processes for performing effective forensics activities and provides advice regarding different data sources,

including files, operating systems (OS), network traffic, and applications.

The publication is not to be used as an all-inclusive step-by-step guide for executing a digital forensic investigation or

construed as legal advice. Its purpose is to inform readers of various technologies and potential ways of using them in

performing incident response or troubleshooting activities. Readers are advised to apply the recommended practices only

after consulting with management and legal counsel for compliance concerning laws and regulations (i.e., local, state,

Federal, and international) that pertain to their situation.



Final SP 800-87 Rev. 14/1/2008 Codes for Identification of Federal and Federally-Assisted Organizations

Topic Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards

Keyword HSPD-12; PIV; PACS; FIPS 201; identity credentials; Smart Card; personal identification verification

Family Access Control; Identification & Authentication

Abstract The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the

interoperable use of identity credentials to allow physical and logical access to Federal government locations and

systems. The Personal Identity Verification (PIV) for Federal Employees and Contractors, (Federal Information Processing

Standard 201 (FIPS 201)) was developed to establish standards for identity credentials. This document, Special

Publication 800-87 (SP 800-87), provides the organizational codes necessary to establish the PIV Federal Agency Smart

Credential Number (PIV FASC-N) that is required to be included in the FIPS 201 Card Holder Unique Identifier (CHUID)

and is a companion document to FIPS 201.

Legal


DRAFT SP 800-88 Rev. 19/6/2012 Guidelines for Media Sanitization

Topic Certification & Accreditation (C&A); Forensics; General IT Security; Maintenance; Risk Assessment

Keyword

Family Maintenance; Media Protection; Risk Assessment

Abstract SP 800-88 discussed methods, techniques and best practices for the sanitization of target data on different media types

and risk based approaches organizations can apply to establish and maintain a media sanitization program.






Final SP 800-88 9/11/2006 Guidelines for Media Sanitization

of 118



Topic Final SP 800-88 9/11/2006 Certification & Accreditation (C&A); Forensics; General IT Security; Maintenance; Risk Assessment

Keyword Information disposal; media disposal; media sanitization; storage security; purge, sanitization

Family Maintenance; Media Protection; Risk Assessment

Abstract Information systems capture, process, and store information using a wide variety of media. This information is located not only on the

intended storage media but also on devices used to create, process, or transmit this information. These media may require special

disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective

management of information created, processed, and stored by an information technology (IT) system throughout its life, from inception

through disposition, is a primary concern of an information system owner and the custodian of the data. With the more prevalent use of

increasingly sophisticated encryption, an attacker wishing to gain access to an organization?s sensitive information is forced to look

outside the system itself for that information. One avenue of attack is the recovery of supposedly deleted data from media. These

residual data may allow unauthorized individuals to reconstruct data and thereby gain access to sensitive information. Sanitization can

be used to thwart this attack by ensuring that deleted data cannot be easily recovered. When storage media are transferred, become

obsolete, or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical,

electrical, or other representation of data that has been deleted is not easily recoverable. Sanitization refers to the general process of

removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.

This guide will assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of

their information.






Final SP 800-89 11/1/2006 Recommendation for Obtaining Assurances for Digital Signature Applications

Topic Authentication; Digital Signatures; PKI

Keyword assurance; Certification Authority; digital signatures; timestamp token;

Trusted Timestamp Authority

Family Audit & Accountability; Planning; System & Communication Protection

Abstract Entities participating in the generation or verification of digital signatures depend on the authenticity of the process. This

Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of

domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the

private key, and assurance of the identity of the key pair owner.

Legal


DRAFT SP 800-90A Rev. 14/21/2014 Recommendation for Random Number Generation Using Deterministic Random Bit Generators

Topic Cryptography

Keyword deterministic random bit generator (DRBG); entropy; hash function; random number generator


Abstract This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods

provided are based on either hash functions, block cipher algorithms or number theoretic problems.

Legal

Link http://csrc.nist.gov/publications/PubsDrafts.html#800-90Ar1

Final SP 800-90A 1/1/2012 Recommendation for Random Number Generation Using Deterministic Random Bit Generators

of 118



Topic Final SP 800-90A 1/1/2012 Cryptography

Keyword deterministic random bit generator (DRBG); entropy; hash function; random number generator


Abstract This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods

provided are based on either hash functions, block cipher algorithms or number theoretic problems.

Legal


DRAFT SP 800-90B 9/9/2013 Recommendation for the Entropy Sources Used for Random Bit Generation

Topic Cryptography

Keyword deterministic random bit generator (DRBG); entropy; hash function; random number generator; noise source; entropy

source; conditioning component J58


Abstract This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit

Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with

Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators,

as specified in SP 800-90C.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#800-90ABC

DRAFT SP 800-90C 9/9/2013 Recommendation for Random Bit Generator (RBG) Constructions

Topic Cryptography

Keyword deterministic random bit generator (DRBG), entropy, entropy source, non-

deterministic random bit generator (NRBG), random number generator, source of entropy input


Abstract SP 800-90C specifies constructions for the implementation of random bit generators (RBGs). An RBG may be a

deterministic random bit generator (DRBG) or a non-deterministic random bitgenerator (NRBG). The constructed RBGs

consist of DRBG mechanisms as specified SP 800-90A and entropy sources as specified in SP 800-90B.

Legal

Link http://csrc.nist.gov/publications/PubsSPs.html#800-90ABC

Final SP 800-92 9/1/2006 Guide to Computer Security Log Management

Topic Audit & Accountability

Keyword computer security log management; FISMA; log management

Family Audit & Accountability; Incident Response; Media Protection; Physical & Environmental Protection; System & Information

Integrity

of 118



Abstract Final SP 800-92 9/1/2006 The National Institute of Standards and Technology (NIST) developed this doocument in furtherance of its statutory

responsibilities under the Federal Information security Management Act (FISMA) of 2002, Public Law 107-347. This

publication seeks to assist organizations in understanding the need for sound computer security log management. It

provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices

throughout an enterprise. The guidance in this publication covers several topics, including establishing log management

infrastuctures, and developing and performing robust log management processes throughout an organization. The

publication presents logging technologies from a high-level viewpoint, and it is not a step-by-step guide to implementing or

using logging technologies.

Legal


Final SP 800-94 2/1/2007 Guide to Intrusion Detection and Prevention Systems (IDPS)

Topic Audit & Accountability; Forensics; Incident Response; Planning

Keyword FISMA; intrusion detection; intrusion detection and prevention; intrusion prevention

Family Audit & Accountability; Incident Response; Planning



publication seeks to assist organizations in understanding intrusion detection system (IDS) and intrusion prevention

system (IPS) technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion

detection and prevention systems (IDPS). It provides practical, real-world guidance for each of four classes of IDPS:

network-based, wireless, network behavior analysis software, and host-based. The publication also provides an overview

of complementary technologies that can detect intrusions, such as security information and event management software.

It focuses on enterprise IDPS, but most of the information in the publication is also applicable to standalone and small-

scale IDPS deployments.









DRAFT SP 800-94 Rev. 17/25/2012 Guide to Intrusion Detection and Prevention Systems (IDPS)

Topic Audit & Accountability; Forensics; Incident Response; Planning

Keyword

Family Audit & Accountability; Incident Response; Planning

of 118



Abstract DRAFT SP 800-94 Rev. 17/25/2012 Intrusion detection and prevention systems (IDPS) are focused on identifying possible incidents, logging information about

them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for

other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals

from violating security policies. This publication describes the characteristics of IDPS technologies and provides

recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of

IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are

deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network

behavior analysis (NBA), and host-based.









Final SP 800-95 8/1/2007 Guide to Secure Web Services

Topic General IT Security; Planning; Research

Keyword Application security; Web services

Family Planning; System & Communication Protection

Abstract The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks.

Web services based on the eXtensible Markup Language (XML), SOAP, and related open standards, and deployed in

Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic

and ad hoc connections. The security challenges presented by the Web services approach are formidable and

unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic

application-to-application connections, and relative autonomy are at odds with traditional security models and controls.

Ensuring the security of Web services involves augmenting traditional security mechanisms with security frameworks

based on use of authentication, authorization, confidentiality, and integrity mechanisms. This document describes how to

implement those security mechanisms in Web services. It also discusses how to make Web services and portal

applications robust against the attacks to which they are subject.

Legal


Final SP 800-96 9/1/2006 PIV Card to Reader Interoperability Guidelines

Topic Personal Identity Verification (PIV); Smart Cards

of 118



Keyword Final SP 800-96 9/1/2006 Personal Identity Verification; PIV Card; PIV Card Reader; HSPD-12; FIPS 201

Family Access Control; Identification & Authentication; Physical & Environmental Protection

Abstract The purpose of this document is to present recommendations for Personal Identity Verification (PIV) card readers in the

area of performance and communications characteristics to foster interoperability. This document is not intended to re-

state or contradict requirements specifically identified in Federal Information Processing Standard 201 (FIPS 201) or its

associated documents. It is intended to augment existing standards to enable agencies to achieve the interoperability goal

of Homeland Security Presidential Directive 12 (HSPD-12).

The document provides requirements that facilitate interoperability between any card and any reader. Specifically, the

recommendations are for end-point cards and readers designed to read end-point cards.

Legal


Final SP 800-97 2/1/2007 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i

Topic Communications & Wireless; Services & Acquisitions

Keyword IEEE 802.11; network security; Wi-Fi; wireless local area network; wireless networking

Family Access Control; Identification & Authentication; System & Communication Protection; System & Services Acquisition

Abstract This report provides readers with a detailed explanation of next generation 802.11 wireless security. It describes the

inherently flawed Wired Equivalent Privacy (WEP) and explains 802.11i's two-step approach (interim and long-term)to

providing effective wireless security. It describes secure methods used to authenticate users in a wireless environment,

and presents several sample case studies of wireless deployment. It also includes guidance on best practices for

establishing secure wireless networks using the emerging Wi-Fi technology.

Legal


Final SP 800-98 4/1/2007 Guidelines for Securing Radio Frequency Identification (RFID) Systems


Keyword Radio Frequency Identification; RFID; Security; Privacy

Family Identification & Authentication; Physical & Environmental Protection; System & Communication Protection; System &


Abstract This publication seeks to assist organizations in understanding the risks of RFID technology and security measures to

mitigate those risks. It provides practical, real-world advice on how to initiate, design, implement and operate RFID

systems in a manner that mitigates security and privacy risks. The document also provides background information on

RFID applications, standards, and system components to assist in the understanding of RFID security risks and controls.

This document presents information that is independent of particular hardware platforms, operating systems, and

applications. The emphasis is on RFID systems that are based on industry and international standards, although the

existence of proprietary approaches is noted when they offer relevant security features not found in current standards.

of 118



Legal Final SP 800-98 4/1/2007 E-Government Act of 2002/Mandates NIST Development of Security Standards;


Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security;





Final SP 800-100 3/7/2007 Information Security Handbook: A Guide for Managers


Keyword Awareness; capital planning; certification; configuration management; contingency plan; incident response;

interconnecting systems; performance measures; risk management; security governance; security plans; security

services; system development life cycle; training





Abstract This Information Security Handbook provides a broad overview of information security program elements to assist

managers in understanding how to establish and implement an information security program. Typically, the organization

looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls

and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were

selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the

Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-

130. The material in this handbook can be referenced for general information on a particular topic or can be used in the

decision making process for developing an information security program. National Institute of Standards and Technology

(NIST) Interagency Report (IR) 7298, Glossary of Key Information Security Terms, provides a summary glossary for the

basic security terms used throughout this document. While reading this handbook, please consider that the guidance is

not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business

requirements.




DRAFT SP 800-101 Rev. 19/4/2013 Guidelines on Mobile Device Forensics

Topic Communications & Wireless; Forensics; Incident Response; Research; Services & Acquisitions

Keyword Computer forensics; digital evidence; mobile device security

Family Incident Response; Planning; System & Services Acquisition

of 118



Abstract DRAFT SP 800-101 Rev. 19/4/2013 Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound

conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This

guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining the technologies

involved and their relationship to forensic procedures.

The goal of mobile forensics is the practice of utilizing sound methodologies for the acquisition of data contained within

the internal memory of a mobile device and associated media providing the ability to accurately report one’s findings.

This guide also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital

evidence. The issue of ever increasing backlogs for most digital forensics labs is addressed and guidance is provided on

handling on-site triage casework.









Final SP 800-101 5/1/2007 Guidelines on Cell Phone Forensics


Keyword Computer Forensics; Cell Phones; Digital Evidence


Abstract Forensic specialists periodically encounter unusual devices and new technologies outside of traditional computer

forensics. Cell phones are an emerging area with such characteristics. The objective of this guide is twofold: to help

organizations evolve appropriate policies and procedures for dealing with cell phones, and to prepare forensic specialists

to contend with new circumstances involving cell phones, when they arise. This guide provides an in-depth look into cell

phones and explains associated technologies and their effect on the procedures followed by forensic specialists. It also

discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital information present

on cell phones, as well as available forensic software tools that support those activities.

of 118



Legal Final SP 800-101 5/1/2007 E-Government Act of 2002/Mandates NIST Development of Security Standards;








Final SP 800-102 9/1/2009 Recommendation for Digital Signature Timeliness

Topic Authentication; Cryptography; Digital Signatures

Keyword Digital signatures; timeliness; timestamp; Trusted Timestamp Authority


Abstract Establishing the time when a digital signature was generated is often a critical consideration. A signed message that

includes the (purported) signing time provides no assurance that the private key was used to sign the message at that

time unless the accuracy of the time can be trusted. With the appropriate use of digital signature-based timestamps from a

Trusted Timestamp Authority (TTA) and/or verifier-supplied data that is included in the signed message, the signatory can

provide some level of assurance about the time that the message was signed.

Legal


DRAFT SP 800-103 10/6/2006 An Ontology of Identity Credentials - Part 1: Background and Formulation

Topic Authentication; Biometrics; General IT Security; Personal Identity Verification (PIV); Smart Cards

Keyword

Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection; System &


Abstract This document provides the broadest possible range of identity credentials and supporting documents insofar as they

pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued

within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a

framework for retention and exchange of identity credential information.






of 118



Link DRAFT SP 800-103 10/6/2006 http://csrc.nist.gov/publications/PubsSPs.html#SP-800-103

Final SP 800-104 6/1/2007 A Scheme for PIV Visual Card Topography

Topic Authentication; Personal Identity Verification (PIV); Smart Cards

Keyword PIV; FIPS 201; personal identification verification

Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection

Abstract The purpose of this document is to provide additional recommendations on the Personal Identity Verification (PIV) Card

color-coding for designating employee affiliation. The recommendations in this document complement FIPS 201 in order

to increase the reliability of PIV card visual verification.







Final SP 800-106 2/1/2009 Randomized Hashing for Digital Signatures


Keyword Digital signature; cryptographic hash function; hash function; collision resistance; randomized hashing.

Family Identification & Authentication; System & Communication Protection; System & Information Integrity

Abstract NIST-approved digital signature algorithms require the use of an approved cryptographic hash function in the generation

and verification of signatures. Approved cryptographic hash functions and digital signature algorithms can be found in

FIPS 180-3, Secure Hash Standard (SHS), and FIPS 186-3, Digital Signature Standard (DSS), respectively. The security

provided by the cryptographic hash function is vital to the security of a digital signature application. This Recommendation

specifies a method to enhance the security of the cryptographic hash functions used in digital signature applications by

randomizing the messages that are signed.





Final SP 800-107 Rev. 18/1/2012 Recommendation for Applications Using Approved Hash Algorithms


Keyword Digital signatures; hash algorithms; cryptographic hash function; hash function; hash-based key derivation algorithms;

hash value; HMAC; message digest; randomized hashing; random number generation; SHA; truncated hash values.


of 118



Abstract Final SP 800-107 Rev. 18/1/2012 Hash functions that compute a fixed-length message digest from arbitrary length messages are widely used for many

purposes in information security. This document provides security guidelines for achieving the required or desired security

strengths when using cryptographic applications that employ the approved hash functions specified in Federal Information

Processing Standard (FIPS) 180-4. These include functions such as digital signatures, Keyed-hash Message

Authentication Codes (HMACs) and Hash-based Key Derivation Functions (Hash-based KDFs).





Final SP 800-108 10/1/2009 Recommendation for Key Derivation Using Pseudorandom Functions (Revised)

Topic Cryptography; General IT Security

Keyword Key derivation; pseudorandom function.

Family

Abstract This Recommendation specifies techniques for the derivation of additional keying material from a secret key, either

established through a key establishment scheme or shared through some other manner, using pseudorandom functions.

Legal


Final SP 800-111 11/1/2007 Guide to Storage Encryption Technologies for End User Devices

Topic Cryptography; General IT Security

Keyword Computer security; mobile device security; removable media security; storage encryption; storage security

Family Configuration Management; Media Protection; System & Communication Protection; System & Information Integrity

Abstract Many threats against end user devices, such as desktop and laptop computers, smart phones, personal digital assistants,

and removable media, could cause information stored on the devices to be accessed by unauthorized parties. To prevent

such disclosures of information, the information needs to be secured. This publication explains the basics of storage

encryption, which is the process of using encryption and authentication to restrict access to and use of stored information.

The appropriate storage encryption solution for a particular situation depends primarily upon the type of storage, the

amount of information that needs to be protected, the environments where the storage will be located, and the threats that

need to be mitigated. This publication describes three types of solutions—full disk encryption, volume and virtual disk

encryption, and file/folder encryption—and makes recommendations for implementing and using each type. This

publication also includes several use case examples, which illustrate that there are multiple ways to meet most storage

encryption needs.

of 118



Legal Final SP 800-111 11/1/2007 Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;

Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security;




Final SP 800-113 7/1/2008 Guide to SSL VPNs

Topic Authentication; Communications & Wireless; Cryptography; Planning

Keyword Secure sockets layer; secure remote access; SSL; TLS; transport layer security; virtual private network; VPN

Family Access Control; Identification & Authentication; Planning; System & Communication Protection; System & Information

Integrity

Abstract Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) provide users with secure remote access to an

organization's resources. An SSL VPN consists of one or more VPN devices to which users connect using their Web

browsers. The traffic between the Web browser and SSL VPN device is encrypted with the SSL protocol. SSL VPNs can

provide remote users with access to Web applications and client/server applications, as well as connectivity to internal

networks. They offer versatility and ease of use because they use the SSL protocol, which is included with all standard

Web browsers, so special client configuration or installation is often not required. In planning a VPN deployment, many

organizations are faced with a choice between an IPsec-based VPN and an SSL-based VPN. This document seeks to

assist organizations in understanding SSL VPN technologies. The publication also makes recommendations for

designing, implementing, configuring, securing, monitoring, and maintaining SSL VPN solutions. SP 800-113 provides a

phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments.

It also includes a comparison with other similar technologies such as Internet Protocol Security (IPsec) VPNs and other

VPN solutions.





Final SP 800-114 11/1/2007 User's Guide to Securing External Devices for Telework and Remote Access

Topic Authentication; Communications & Wireless; General IT Security

Keyword Remote access secuity; romote access; telework

Family Access Control; Configuration Management; System & Communication Protection

of 118



Abstract Final SP 800-114 11/1/2007 This publication helps teleworkers secure the external devices they use for telework, such as personally owned and

privately owned desktop and laptop computers and consumer devices (e.g., cell phones, personal digital assistants

[PDA]). The document focuses specifically on security for telework involving remote access to their organization's

nonpublic computing resources. It provides practical, real-world recommendations for securing telework computers

operating systems (OS) and applications, as well as home networks that the computers use. It presents basic

recommendations for securing consumer devices used for telework. The document also presents advice on protecting the

information stored on telework computers and removable media. In addition, it provides tips on considering the security of

a device owned by a third party before deciding whether it should be used for telework.





Final SP 800-115 9/1/2008 Technical Guide to Information Security Testing and Assessment

Topic Audit & Accountability; Certification & Accreditation (C&A); Communications & Wireless; Risk Assessment; Services &

Acquisitions

Keyword Penetration testing; risk assessment; security assessment; security examination; security testing; vulnerability scanning

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Risk Assessment; System & Communication


Abstract The purpose of this document is to assist organizations in planning and conducting technical information security tests

and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical

recommendations for designing, implementing, and maintaining technical information security test and examination

processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or

network and verifying compliance with a policy or other requirements. The guide is not intended to present a

comprehensive information security testing and examination program but rather an overview of key elements of technical

security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each,

and recommendations for their use.

Legal


Final SP 800-116 11/1/2008 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

Topic Authentication; Biometrics; Cryptography; General IT Security; Personal Identity Verification (PIV); PKI; Planning; Risk

Assessment; Smart Cards

Keyword HSPD-12; PIV; PACS; FIPS 201; PIV authentication mechanisms; Smart Card

Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection; Planning

of 118



Abstract Final SP 800-116 11/1/2008 This document provides best practice guidelines for integrating the PIV Card with the physical access control systems

(PACS) that authenticate the cardholders in Federal facilities. Specifically, this document recommends a risk-based

approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal government

facilities and assets. This document also proposes a PIV implementation maturity model to measure the progress of

facility and agency implementations.







DRAFT SP 800-117 Rev. 11/6/2012 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2

Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk

Assessment; Security Automation; Services & Acquisitions

Keyword

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident

Response; Maintenance; Risk Assessment; System & Communication Protection

Abstract The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2.

This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to

enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2

capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for

maintaining or verifying the security of systems in operational environments.





Final SP 800-117 7/1/2010 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0

Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security

Automation; Services & Acquisitions

Keyword Security automation; security configuration management; Security Content Automation Protocol (SCAP); vulnerability

management

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Maintenance;

Risk Assessment; System & Communication Protection; System & Services Acquisition

Abstract The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP). This

document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance

their security posture. It also explains to IT product and service vendors how they can adopt SCAP's capabilities within

their offerings.

of 118



Legal Final SP 800-117 7/1/2010 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &





DRAFT SP 800-118 4/21/2009 Guide to Enterprise Password Management

Topic Authentication; Cryptography; General IT Security; Planning; Risk Assessment

Keyword

Family Identification & Authentication; Planning; Risk Assessment; System & Communication Protection; System & Information

Integrity

Abstract SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based

passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and

local password management solutions.




Final SP 800-119 12/1/2010 Guidelines for the Secure Deployment of IPv6

Topic Communications & Wireless; General IT Security; Planning

Keyword IPv6; network security; Internet Protocol

Family Planning; System & Communication Protection; System & Information Integrity; System & Services Acquisition

Abstract Due to the exhaustion of IPv4 address space, and the Office of Management and Budget (OMB) mandate that U.S.

federal agencies begin to use the IPv6 protocol, NIST undertook the development of a guide to help educate federal

agencies about the possible security risks during their initial IPv6 deployment. Since IPv6 is not backwards compatible

with IPv4, organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should

begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will

enable an organization to navigate the process smoothly and securely. This document provides guidelines for

organizations to aid in securely deploying IPv6. The goals of this document are to: educate the reader about IPv6 features

and the security impacts of those features; provide a comprehensive survey of mechanisms that can be used for the

deployment of IPv6; and provide a suggested deployment strategy for moving to an IPv6 environment. After reviewing this

document, the reader should have a reasonable understanding of IPv6 and how it compares to IPv4, security impacts of

IPv6 features and capabilities, as-yet unknown impacts of IPv6 deployment, and increased knowledge and awareness

about the range of IPv4 to IPv6 transition mechanisms.

Legal


Final SP 800-120 9/1/2009 Recommendation for EAP Methods Used in Wireless Network Access Authentication

Topic Authentication; Communications & Wireless; Cryptography; General IT Security

Keyword EAP methods; authentication; key establishment.

Family Access Control

Abstract This Recommendation specifies security requirements for authentication methods with key establishment supported by

the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal

networks.

Legal

of 118



Link Final SP 800-120 9/1/2009 http://csrc.nist.gov/publications/PubsSPs.html#SP-800-120

Final SP 800-121 Rev. 16/1/2012 Guide to Bluetooth Security

Topic Authentication; Communications & Wireless; Services & Acquisitions

Keyword Bluetooth; Bluetooth security; wireless networking; wireless network security; wireless personal area networks

Family Access Control; System & Communication Protection; System & Information Integrity; System & Services Acquisition

Abstract Bluetooth is an open standard for short-range radio frequency communication. Bluetooth technology is used primarily to

establish wireless personal area networks (WPANs), and it has been integrated into many types of business and

consumer devices. This publication provides information on the security capabilities of Bluetooth technologies and gives

recommendations to organizations employing Bluetooth technologies on securing them effectively. The Bluetooth versions

within the scope of this publication are versions 1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 + High Speed

(HS), and 4.0, which includes Low Energy (LE) technology.

Legal


Final SP 800-122 4/1/2010 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Topic General IT Security; Planning; Risk Assessment

Keyword PII; confidentiality; privacy; PII confidentiality impact level; FIPS 199; personally identifiable information

Family Access Control; Audit & Accountability; Identification & Authentication; Media Protection; Planning; Risk Assessment;

System & Communication Protection

Abstract The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable

information (PII) in information systems. The document explains the importance of protecting the confidentiality of PII in

the context of information security and explains its relationship to privacy using the the Fair Information Practices, which

are the principles underlying most privacy laws and privacy best practices. PII should be protected from inappropriate

access, use, and disclosure. This document provides practical, context-based guidance for identifying PII and determining

what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer

appropriate levels of protection for PII and provides recommendations for developing response plans for incidents

involving PII. Organizations are encouraged to tailor the recommendations to meet their specific requirements.





Final SP 800-123 7/1/2008 Guide to General Server Security

Topic General IT Security; Maintenance; Planning

Keyword Host security; server security

Family Access Control; Audit & Accountability; Configuration Management; Identification & Authentication; Incident Response;

Maintenance; Physical & Environmental Protection; Planning; System & Communication Protection; System & Information

Integrity

of 118



Abstract Final SP 800-123 7/1/2008 The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of

securing and maintaining the security of servers that provide services over network communications as a main function.

The document discusses the need to secure servers and provides recommendations for selecting, implementing, and

maintaining the necessary security controls.




Final SP 800-124 Rev. 16/21/2013 Guidelines for Managing the Security of Mobile Devices in the Enterprise

Topic Authentication; Communications & Wireless; Research; Services & Acquisitions; Viruses & Malware

Keyword cell phone security; information security; mobile device security; mobility; remote access; smartphone security; tablet

security; telework

Family Access Control; Configuration Management; Media Protection; Planning; System & Communication Protection; System &

Information Integrity; System & Services Acquisition

Abstract The purpose of this publication is to help organizations centrally manage and secure mobile devices against a variety of

threats. This publication provides recommendations for selecting, implementing, and using centralized management

technologies, and it explains the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1

includes securing both organization-provided and personally-owned (bring your own device) mobile devices.

Legal Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security;



Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-124-Rev%201

Final SP 800-125 1/1/2011 Guide to Security for Full Virtualization Technologies

Topic Cloud Computing & Virtualization; Planning; Risk Assessment

Keyword Virtualization; hypervisor; VMM; virtual machine; VM; cloud computing

Family Access Control; Configuration Management; Planning; Risk Assessment; System & Communication Protection; System &


Abstract The purpose of SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server

and desktop virtualization, and to provide recommendations for addressing these concerns. Full virtualization technologies

run one or more operating systems and their applications on top of virtual hardware. Full virtualization is used for

operational efficiency, such as in cloud computing, and for allowing users to run applications for multiple operating

systems on a single computer.



Final SP 800-126 11/1/2009 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0

of 118



Topic Final SP 800-126 11/1/2009 Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security


Keyword Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content

automation



Abstract This document defines the technical specification for Version 1.0 of the Security Content Automation Protocol (SCAP).

SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software

communicates information about software flaws and security configurations. This document describes the basics of the

SCAP component specifications and their interrelationships, the characteristics of SCAP content, as well as SCAP

requirements not defined in the individual SCAP component specifications. This guide provides recommendations on how

to use SCAP to achieve security automation for organizations seeking to implement SCAP.






800-126 Rev. 12/1/2011 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1

Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security


Keyword Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content

automation



Abstract This document provides the definitive technical specification for Version 1.1 of the Security Content Automation Protocol

(SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security

software communicates information about software flaws and security configurations. This document defines all SCAP

Version 1.1 requirements that are not defined in the individual SCAP component specifications.






800-126 Rev. 29/1/2011 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2

Topic Audit & Accountability; Certification & Accreditation (C&A); Digital Signatures; General IT Security; Incident Response;

Maintenance; Risk Assessment; Security Automation; Services & Acquisitions; Viruses & Malware

of 118



Keyword Final SP 800-126 Rev. 29/1/2011 Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content

automation


Response; Maintenance; Risk Assessment; System & Communication Protection; System & Services Acquisition

Abstract This document provides the definitive technical specification for version 1.2 of the Security Content Automation Protocol

(SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which information

about software flaws and security configurations is communicated, both to machines and humans. This document defines

requirements for creating and processing SCAP content. These requirements build on the requirements defined within the

individual SCAP component specifications. Each new requirement pertains either to using multiple component

specifications together or to further constraining one of the individual component specifications.






Final SP 800-127 9/1/2010 Guide to Securing WiMAX Wireless Communications

Topic Authentication; Communications & Wireless; Cryptography

Keyword WiMAX; wireless metropolitan area network; wireless network security


Abstract The purpose of this document is to provide information to organizations regarding the security capabilities of wireless

communications using WiMAX networks and to provide recommendations on using these capabilities. WiMAX technology

is a wireless metropolitan area network (WMAN) technology based upon the IEEE 802.16 standard. It is used for a variety

of purposes, including, but not limited to, fixed last-mile broadband access, long-range wireless backhaul, and access

layer technology for mobile wireless subscribers operating on telecommunications networks.




Final SP 800-128 8/1/2011 Guide for Security-Focused Configuration Management of Information Systems

Topic Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security Automation

Keyword Configuration management; information systems; security program; risk management framework; security-focused

continuous monitoring; SecCM; control; monitoring; security content automation protocol (SCAP)

Family Configuration Management

of 118



Abstract Final SP 800-128 8/1/2011 The purpose of Special Publication 800-128, Guide for Security-Focused Configuration Management of Information

Systems, is to provide guidelines for organizations responsible for managing and administering the security of federal

information systems and associated environments of operation. Configuration management concepts and principles

described in NIST SP 800-128, provide supporting information for NIST SP 800-53, Recommended Security Controls for

Federal Information Systems and Organizations. NIST SP 800-128 assumes that information security is an integral part of

an organization’s overall configuration management. The focus of this document is on implementation of the information

system security aspects of configuration management, and as such the term security-focused configuration management

(SecCM) is used to emphasize the concentration on information security. In addition to the fundamental concepts

associated with SecCM, the process of applying SecCM practices to information systems is described. The goal of

SecCM activities is to manage and monitor the configurations of information systems to achieve adequate security and

minimize organizational risk while supporting the desired business functionality and services.




Final SP 800-130 8/15/2013 A Framework for Designing Cryptographic Key Management Systems

Topic Cryptography

Keyword access control; confidentiality; cryptographic key management system; cryptographic keys; framework; integrity; key

management policies; key metadata; source authentication

Family

Abstract This Framework for Designing Cryptographic Key Management Systems (CKMS) contains topics that should be

considered by a CKMS designer when developing a CKMS design specification. For each topic, there are one or more

documentation requirements that need to be addressed by the design specification. Thus, any CKMS that addresses each

of these requirements would have a design specification that is compliant with this Framework.

Legal


Final SP 800-131A 1/1/2011 Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Topic Cryptography

Keyword Cryptographic algorithm; digital signatures; encryption; hash function; key agreement; key derivation; key management;

key transport; key wrapping; message authentication codes; random number generation; security strength; transition.

Family

Abstract At the start of the 21st century, the National Institute of Standards and Technology (NIST) began the task of providing

cryptographic key management guidance, which includes defining and implementing appropriate key management

procedures, using algorithms that adequately protect sensitive information, and planning ahead for possible changes in

the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. NIST

Special Publication (SP) 800-57, Part 1 was the first document produced in this effort, and includes a general approach for

transitioning from one algorithm or key length to another. This Recommendation (SP 800-131A) provides more specific

guidance for transitions to the use of stronger cryptographic keys and more robust algorithms.

Legal


of 118



Final SP 800-132 12/1/2010 Recommendation for Password-Based Key Derivation: Part 1: Storage Applications

Topic Authentication; Cryptography; General IT Security

Keyword Password-Based Key Derivation Functions; Salt; Iteration Count; Protection of data in storage.


Abstract This Recommendation specifies techniques for the derivation of master keys from passwords or passphrases to protect

stored electronic data or data protection keys.

Legal


Final SP 800-133 11/1/2012 Recommendation for Cryptographic Key Generation

Topic Cryptography

Keyword asymmetric key; key agreement; key derivation; key generation; key replacement; key transport; key update; key

wrapping; private key; public key; symmetric key

Family

Abstract Cryptography is often used in an information technology security environment to protect data that is sensitive, has a high

value, or is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage.

Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a cryptographic key.

This Recommendation discusses the generation of the keys to be managed and used by the approved cryptographic

algorithms.

Legal


Final SP 800-135 Rev. 112/1/2011 Recommendation for Existing Application-Specific Key Derivation Functions

Topic Cryptography

Keyword Cryptographic key; shared secret; Diffie-Hellman (DH) key exchange; hash function; Key Derivation Function (KDF); Hash-

based Key Derivation Function; Randomness Extraction; Key expansion; Pseudorandom Function (PRF); HMAC; ANS

X9.42-2001; ANS X9.63-2001; IKE; SSH; TLS; SRTP; SNMP and TPM.

Family

Abstract Cryptographic keys are vital to the security of internet security applications and protocols. Many widely-used internet

security protocols have their own application-specific Key Derivation Functions (KDFs) that are used to generate the

cryptographic keys required for their cryptographic functions. This Recommendation provides security requirements for

those KDFs.

Legal


Final SP 800-137 9/1/2011 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

Topic Certification & Accreditation (C&A); General IT Security; Planning; Risk Assessment

Keyword Continuous monitoring; ISCM; information security; security; risk management

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Planning;

Program Management; Risk Assessment

of 118



Abstract Final SP 800-137 9/1/2011 The purpose of this guideline is to assist organizations in the development of a continuous monitoring strategy and the

implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats

and vulnerabilities, and visibility into the effectiveness of deployed security controls. It provides ongoing assurance that

planned and implemented security controls are aligned with organizational risk tolerance as well as the information

needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate.






DRAFT FIPS 140-3 12/11/2009 Security Requirements for Cryptographic Modules (Revised Draft)

Topic Audit & Accountability; Authentication; Communications & Wireless; Cryptography; Digital Signatures; PKI; Planning;

Services & Acquisitions

Keyword computer security; telecommunication security; physical security; software security; cryptography; cryptographic modules;

Federal Information Processing Standard (FIPS).


Abstract The selective application of technological and related procedural safeguards is an important responsibility of every

Federal organization in providing adequate security in its computer and telecommunication systems. This standard is

applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in

computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information

Technology Management Reform Act of 1996, Public Law 104-106 and the Federal Information Security Management Act

of 2002, Public Law 107-347. This standard shall be used in designing and implementing cryptographic modules that

Federal departments and agencies operate or are operated for them under contract. The standard provides four

increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The

security requirements cover areas related to the secure design, implementation, operation and disposal of a cryptographic

module. These areas include cryptographic module specification; cryptographic module physical ports and logical

interfaces; roles, authentication, and services; software security; operational environment; physical security; physical

security – non-invasive attacks; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation

of other attacks.


Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-140--3

Final FIPS 140-2 12/3/2002 Security Requirements for Cryptographic Modules

Topic Audit & Accountability; Communications & Wireless; Cryptography; Digital Signatures; PKI; Planning; Services &

Acquisitions

Keyword computer security; cryptographic module; FIPS 140-2; validation


of 118



Abstract Final FIPS 140-2 12/3/2002 This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a

cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications

and environments. The areas covered, related to the secure design and implementation of a cryptographic module,

include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security;

operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility

(EMI/EMC); self-tests; design assurance; and mitigation of other attacks.



Final SP 800-142 10/1/2010 Practical Combinatorial Testing

Topic Research

Keyword Combinatorial methods; computer security; software assurance; software testing

Family

Abstract Combinatorial testing can help detect problems like this early in the testing life cycle. The key insight underlying t-way

combinatorial testing is that not every parameter contributes to every fault and most faults are caused by interactions

between a relatively small number of parameters. This publication provides a self-contained tutorial on using

combinatorial testing for real-world software, including how to use it effectively for system and software assurance. It

introduces the key concepts and methods, explains use of software tools for generating combinatorial tests (freely

available on the NIST web site csrc.nist.gov/acts), and discusses advanced topics such as the use of formal models of

software to determine the expected results for each set of test inputs. With each topic, a section on costs and practical

considerations explains tradeoffs and limitations that may impact resources or funding. The material is accessible to an

undergraduate student of computer science or engineering, and includes an extensive set of references to papers that

provide more depth on each topic.

Legal


Final SP 800-144 12/1/2011 Guidelines on Security and Privacy in Public Cloud Computing

Topic Cloud Computing & Virtualization; Planning; Research; Services & Acquisitions

Keyword Cloud Computing; Computer Security and Privacy; Information Technology Outsourcing

Family Planning

Abstract Cloud computing can and does mean different things to different people. The common characteristics most interpretations

share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered

services from nearly anywhere, and displacement of data and services from inside to outside the organization. While

aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This

publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out

considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud

environment.

of 118



Legal Final SP 800-144 12/1/2011 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &





Final SP 800-145 9/1/2011 The NIST Definition of Cloud Computing

Topic Cloud Computing & Virtualization; Planning; Research

Keyword Cloud Computing; SaaS; PaaS; IaaS; On-demand Self Service; Reserve Pooling; Rapid Elasticity; Measured Service;

Software as a Service; Platform as a Service; Infrastructure as a Service

Family

Abstract Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of

configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly

provisioned and released with minimal management effort or service provider interaction. This cloud model is composed

of five essential characteristics, three service models, and four deployment models.






Final SP 800-146 5/29/2012 Cloud Computing Synopsis and Recommendations

Topic Cloud Computing & Virtualization; Planning; Research

Keyword cloud computing, computer security, virtualization

Family

Abstract This document reprises the NIST-established definition of cloud computing, describes cloud computing benefits and open

issues, presents an overview of major classes of cloud technology, and provides guidelines and recommendations on how

organizations should consider the relative opportunities and risks of cloud computing.







Final SP 800-147 4/1/2011 BIOS Protection Guidelines

Topic Authentication; Awareness & Training; Certification & Accreditation (C&A); Contingency Planning; Cryptography; Digital

Signatures; General IT Security; Incident Response; Maintenance; PKI

Keyword BIOS; firmware; security; firmware updates; basic input/output system; BIOS firmware; system BIOS

Family Access Control; System & Information Integrity; System & Services Acquisition

of 118



Abstract Final SP 800-147 4/1/2011 This document provides guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS)

firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant

threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification

could be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is

corrupted) or a persistent malware presence (if the BIOS is implanted with malware).

As used in this publication, the term BIOS refers to conventional BIOS, Extensible Firmware Interface (EFI) BIOS, and

Unified Extensible Firmware Interface (UEFI) BIOS. This document applies to system BIOS firmware (e.g., conventional

BIOS or UEFI BIOS) stored in the system flash memory of computer systems, including portions that may be formatted as

Option ROMs. However, it does not apply to Option ROMs, UEFI drivers, and firmware stored elsewhere in a computer

system.

While this document focuses on current and future x86 and x64 client platforms, the controls and procedures are

independent of any particular system design. Likewise, although the guide is oriented toward enterprise-class platforms,

the necessary technologies are expected to migrate to consumer-grade systems over time. Future efforts may look at boot

firmware security for enterprise server platforms.






DRAFT SP 800-147B 7/30/2012 BIOS Protection Guidelines for Servers

Topic Authentication; Awareness & Training; Certification & Accreditation (C&A); Contingency Planning; Cryptography; Digital

Signatures; General IT Security; Incident Response; Maintenance; PKI

Keyword Basic Input/Output System (BIOS); information security; patch mana

gement; server security

Family Access Control; System & Information Integrity; System & Services Acquisition

Abstract This guide is intended to mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic

Input/Output System (BIOS), in server-class systems. This guide identifies security requirements and guidelines for a

secure BIOS update process, using digital signatures to authenticate updates. The intended audience for this document

includes BIOS and platform vendors of server-class systems, and information system security professionals who are

responsible for procuring, deploying, and managing servers.

This document is the second in a series of publications on BIOS protections. The first document, SP800-147, BIOS

Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in

enterprise environments. In the future, NIST intends to develop a new publication providing an overview of BIOS

protections for IT security professionals to be released as SP800-147rev1, and will reissue the current SP800-147 as

SP800-147A at that time.






of 118



DRAFT SP 800-152 1/6/2014 A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)

Topic Cryptography

Keyword access control; confidentiality; cryptographic key management system; key metadata; disaster recovery; integrity; security

assessment; security policies; source authentication

Family

Abstract This Profile for U. S. Federal Cryptographic Key Management Systems (FCKMSs) contains requirements for their design,

implementation, procurement, installation, configuration, management, operation, and use by U. S. Federal organizations.

The Profile is based on SP 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS).

Legal E-Government Act of 2002/Mandates NIST Development of Security Standards


Final SP 800-153 2/1/2012 Guidelines for Securing Wireless Local Area Networks (WLANs)

Topic Communications & Wireless; General IT Security; Planning; Risk Assessment

Keyword Wireless Local Area Network; WLAN; IEEE 802.11; 802.11; access points; AP; wireless networking; wireless networking

security

Family Access Control; Configuration Management; Planning; Risk Assessment; System & Communication Protection

Abstract A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as

an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on

how well each WLAN component—including client devices, access points (AP), and wireless switches—is secured

throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring.

The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for

WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and

strengthening their key recommendations.




DRAFT SP 800-155 12/8/2011 BIOS Integrity Measurement Guidelines


Keyword


Abstract This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output

System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its

unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow

or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is

corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are

intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take

appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are

oriented to desktops and laptops deployed in an enterprise environment.

Legal


DRAFT SP 800-157 3/7/2014 Guidelines for Derived Personal Identity Verification (PIV) Credentials

Topic

of 118



Keyword DRAFT SP 800-157 3/7/2014 authentication; credentials; derived PIV credentials; electronic authentication; electronic credentials; mobile devices;

personal identity verification; PIV

Family

Abstract This recommendation provides technical guidelines for the implementation of standards-based, secure, reliable,

interoperable PKI-based identity credentials that are issued by Federal departments and agencies to individuals who

possess and prove control over a valid PIV Card. The scope of this document includes requirements for initial issuance,

maintenance and termination of these credentials, certificate policies and cryptographic specifications, technical

specifications for permitted cryptographic token types and the command interfaces for the removable implementations of

such cryptographic tokens.

Legal


DRAFT SP 800-161 8/16/2013 Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Topic Cyber-Physical Systems & Smart Grid; General IT Security; Incident Response; Maintenance; Planning; Risk

Assessment; Services & Acquisitions

Keyword acquirer; criticality analysis; external service provider; information and communication technology (ICT); integrator; risk

management; supplier; supply chain



Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Program Management; Risk

Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition

Abstract This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating

Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT

supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-

tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and

guidance.


Information Resources/Assess Risks; OMB Circular A-130: Management of Federal Information Resources, Appendix III:

Security of Federal Automated Information Resources/Certify & Accredit Systems; OMB Circular A-130: Management of

Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Conduct Security

Awareness Training; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of

Federal Automated Information Resources/Develop Contingency Plans & Procedures; OMB Circular A-130: Management

of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System

Configurations & Security throughout the System Development Life Cycle; OMB Circular A-130: Management of Federal

Information Resources, Appendix III: Security of Federal Automated Information Resources/Mandates Agency-Wide

Information Security Program Development & Implementation


Final SP 800-162 1/16/2014 Guide to Attribute Based Access Control (ABAC) Definition and Considerations

Topic Research

Keyword access control; access control mechanism; access control model; access control policy; attribute based access control

(ABAC); authorization; privilege

of 118



Family Final SP 800-162 1/16/2014 Access Control

Abstract This document provides Federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical

access control methodology where authorization to perform a set of operations is determined by evaluating attributes

associated with the subject, object, requested operations, and, in some cases, environment conditions against policy,

rules, or relationships that describe the allowable operations for a given set of attributes. This document also provides

considerations for using ABAC to improve information sharing within organizations and between organizations while

maintaining control of that information.

Legal


DRAFT SP 800-164 10/31/2012 Guidelines on Hardware-Rooted Security in Mobile Devices

Topic Communications & Wireless; General IT Security

Keyword information security; mobile device security; root of trust; smartphone; tablet

Family System & Information Integrity

Abstract The guidelines in this document are intended to provide a common baseline of security technologies that can be

implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices

brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own

Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage-

through the use of hardware-based roots of trust.

The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security

software vendors, carriers, application software developers and information system security professionals who are

responsible for managing the mobile devices in an enterprise environment.

Legal


Final SP 800-165 7/22/2013 Computer Security Division 2012 Annual Report

Topic Annual Reports

Keyword Federal Information Security Management Act; FISMA; Computer Security Division; CSD; information security

Family

Abstract Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002,

requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming

year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a component

of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects information

systems against threats to the confidentiality, integrity, and availability of information and services. During Fiscal Year

2012 (FY 2012), CSD successfully responded to numerous challenges and opportunities in fulfilling that mission. Through

CSD's diverse research agenda and engagement in many national priority initiatives, high-quality, cost-effective security

and privacy mechanisms were developed and applied that improved information security across the federal government

and the greater information security community. This annual report highlights the research agenda and activities in which

CSD was engaged during FY 2012.

Legal


of 118



DRAFT SP 800-168 1/27/2014 Approximate Matching: Definition and Terminology

Topic Cryptography; Forensics

Keyword approximate matching; digital forensics

Family

Abstract Approximate matching is a promising technology for designed to identify similarities between two digital artifacts. It is used

to find objects that resemble each other or to find objects that are contained in another object. This can be very useful for

filtering data for security monitoring, digital forensics, or other applications.

Legal


Final FIPS 180-4 3/6/2012 Secure Hash Standard (SHS)


Keyword computer security; cryptography; message digest; hash function; hash algorithm; Federal Information Processing

Standards; Secure Hash Standard

Family System & Communication Protection; System & Information Integrity

Abstract This standard specifies hash algorithms that can be used to generate digests of messages. The digests are used to detect

whether messages have been changed since the digests were generated.



Final FIPS 181 10/5/1993 Automated Password Generator


Keyword automated password generator; computer security; Federal Information Processing Standard; FIPS; password; random

numbers

Family System & Communication Protection; System & Information Integrity

Abstract The Automated Password Generator Standard specifies an algorithm to generate passwords for the protection of

computer resources. This standard is for use in conjunction with FIPS PUB 112, Password Usage Standard, which

provides basic security criteria for the design, implementation, and use of passwords. The algorithm uses random

numbers to select the characters that form the random pronounceable passwords. The random numbers are generated by

a random number subroutine based on the Electronic Codebook mode of the Data Encryption Standard (DES) (FIPS PUB

46-1). The random number subroutine uses a pseudorandom DES key generated in accordance with the procedure

described in Appendix C of ANSI X9.17.

Legal

Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-181

Final FIPS 185 2/9/1994 Escrowed Encryption Standard

Topic Cryptography

Keyword Cryptography; Federal Information Processing Standard; encryption; key escrow system; security

Family

of 118



Abstract Final FIPS 185 2/9/1994 This standard specifies an encryption/decryption algorithm and a Law Enforcement Access Field (LEAF) creation method

which may be implemented in electronic devices and used for protecting government telecommunications when such

protection is desired. The algorithm and the LEAF creation method are classified and are referenced, but not specified, in

the standard. Electronic devices implementing this standard may be designed into cryptographic modules which are

integrated into data security products and systems for use in data security applications. The LEAF is used in a key escrow

system that provides for decryption of telecommunications when access to the telecommunications is lawfully authorized.

Legal


Final FIPS 186-4 7/19/2013 Digital Signature Standard (DSS)


Keyword computer security; cryptography; Digital Signature Algorithm; digital signatures; Elliptic Curve Digital Signature Algorithm;

Federal Information Processing Standard; public


Abstract The Standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used

to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of

signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact,

generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the

signature at a later time. This Standard specifies three techniques for the generation and verification of digital signatures:

DSA, ECDSA and RSA. This revision increases the length of the keys allowed for DSA, provides additional requirements

for the use of ECDSA and RSA, and includes requirements for obtaining assurances necessary for valid digital signatures.

Legal

Link http://csrc.nist.gov/publications/PubsFIPS.html#186-4

Final FIPS 188 9/6/1994 Standard Security Label for Information Transfer


Keyword Application Layer security; computer communications security; Computer Security Objects Register; Federal Information

Processing Standard; Information Transfer security labels; Network Layer security; security labels; security protocols


Abstract Information Transfer security labels convey information used by protocol entities to determine how to handle data

communicated between open systems. Information on a security label can be used to control access, specify protective

measures, and determine handling restrictions required by a communications security policy. This standard defines a

security label syntax for information exchanged over data networks and provides encodings of that syntax for use at the

Application and Network Layers. The syntactic constructs defined in this standard are intended to be used along with

semantics provided by the authority establishing the security policy for the protection of the information exchanged. A

separate NIST document, referenced in an informative appendix, defines a Computer Security Objects Register (CSOR)

that serves as repository for label semantics.

Legal


Final FIPS 190 9/28/1994 Guideline for the Use of Advanced Authentication Technology Alternatives


of 118



Keyword Final FIPS 190 9/28/1994 computer security; cryptographic modules; cryptography; Federal Information Processing Standards Publication;

telecommunication security

Family Identification & Authentication; System & Communication Protection

Abstract This Guideline describes the primary alternative methods for verifying the identities of computer system users, and

provides recommendations to Federal agencies and departments for the acquisition and use of technology which supports

these methods. Although the traditional approach to authentication relies primarily on passwords, it is clear that password-

only authentication often fails to provide an adequate level of protection. Stronger authentication techniques become

increasingly more important as information processing evolves toward an open systems environment. Modern technology

has produced authentication tokens and biometric devices which are reliable, practical, and cost-effective. Passwords,

tokens, and biometrics can be used in various combinations to provide far greater assurance in the authentication process

than can be attained with passwords alone.

Legal


Final FIPS 191 11/9/1994 Guideline for The Analysis of Local Area Network Security

Topic Audit & Accountability; Certification & Accreditation (C&A); Maintenance; Planning; Risk Assessment

Keyword Federal Information Processing Standards Publication (FIPS PUB); local area network (LAN); LAN security; risk; security;

security mechanism; security service; threat; vulnerability

Family

Abstract This guideline discusses threats and vulnerabilities and considers technical security services and security mechanisms.

Legal


Final FIPS 196 2/18/1997 Entity Authentication Using Public Key Cryptography

Topic Authentication; Cryptography; PKI

Keyword access control; authentication; challenge-response; computer security; cryptographic modules; cryptography; Federal

Information Processing Standard (FIPS); telecommunications security

Family

Abstract This standard specifies two challenge-response protocols by which entities in a computer system may authenticate their

identities to one another. These may be used during session initiation, and at any other time that entity authentication is

necessary. Depending on which protocol is implemented, either one or both entities involved may be authenticated. The

defined protocols are derived from an international standard for entity authentication based on public key cryptography,

which uses digital signatures and random number challenges. Authentication based on public key cryptography has an

advantage over many other authentication schemes because no secret information has to be shared by the entities

involved in the exchange. A user (claimant) attempting to authenticate oneself must use a private key to digitally sign a

random number challenge issued by the verifying entity. This random number is a time variant parameter which is unique

to the authentication exchange. If the verifier can successfully verify the signed response using the claimant's public key,

then the claimant has been successfully authenticated.

Legal


Final FIPS 197 11/26/2001 Advanced Encryption Standard

Topic Cryptography

of 118



Keyword Final FIPS 197 11/26/2001 algorithm; block cipher; ciphertext; cryptographic algorithm; cryptographic keys; decryption; encryption


Abstract The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect

electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher)

information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data

back into its original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256

bits to encrypt and decrypt data in blocks of 128 bits.

Legal


Final FIPS 198-1 7/16/2008 The Keyed-Hash Message Authentication Code (HMAC)

Topic Cryptography

Keyword computer security; cryptography; HMAC; MAC; message authentication; Federal Information Processing Standards

(FIPS)

Family Audit & Accountability; System & Communication Protection; System & Information Integrity

Abstract This Standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication

using cryptographic hash functions. HMAC can be used with any iterative Approved cryptographic hash function, in

combination with a shared secret key.



Final FIPS 199 2/1/2004 Standards for Security Categorization of Federal Information and Information Systems


Keyword classification; Federal information; Federal information systems; FIPS; security

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Planning; Program Management; Risk

Assessment

Abstract The purpose of this document is to provide a standard for categorizing federal information and information systems

according to an agency's level of concern for confidentiality, integrity, and availability and the potential impact on agency

assets and operations should their information and information systems be compromised through unauthorized access,

use, disclosure, disruption, modification, or destruction.








Final FIPS 200 3/1/2006 Minimum Security Requirements for Federal Information and Information Systems

Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Planning

Keyword risk-assessment; security controls; security requirements

of 118



Family Final FIPS 200 3/1/2006 Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;



Communication Protection; System & Information Integrity; System & Services Acquisition;

Abstract FIPS 200 is the second standard that was specified by the Information Technology Management Reform Act of 1996

(FISMA). It is an integral part of the risk management framework that the National Institute of Standards and Technology

(NIST) has developed to assist federal agencies in providing levels of information security based on levels of risk. FIPS

200 specifies minimum security requirements for federal information and information systems and a risk-based process for

selecting the security controls necessary to satisfy the minimum requirements.








Final FIPS 201-1 6/23/2006 Personal Identity Verification (PIV) of Federal Employees and Contractors

Topic Biometrics; Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards

Keyword Architecture; authentication; authorization; biometrics; credential; cryptography; Federal Information Processing Standards

(FIPS); HSPD 12; identification; identity; infrastructure; model; Personal Identity Verification; PIV; validation; verification.

Family Access Control; Identification & Authentication; Planning; System & Communication Protection

Abstract This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and

contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed

identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government

information systems.

The standard contains two major sections. Part one describes the minimum requirements for a Federal personal identity verification

system that meets the control and security objectives of Homeland Security Presidential Directive 12, including personal identity

proofing, registration, and issuance. Part two provides detailed specifications that will support technical interoperability among PIV

systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to

securely store, process, and retrieve identity credentials from the card. The physical card characteristics, storage media, and data

elements that make up identity credentials are specified in this standard. The interfaces and card architecture for storing and retrieving

identity credentials from a smart card are specified in Special Publication 800-73, Interfaces for Personal Identity Verification. Similarly,

the interfaces and data formats of biometric information are specified in Special Publication 800-76, Biometric Data Specification for

Personal Identity Verification.

This standard does not specify access control policies or requirements for Federal departments and agencies.



of 118



Link Final FIPS 201-1 6/23/2006 http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-201--1

201-2 8/31/2013 Personal Identity Verification (PIV) of Federal Employees and Contractors

Topic Biometrics; Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards

Keyword architecture; authentication; authorization; biometrics; credential; cryptography; Federal Information Processing Standards

(FIPS); HSPD-12; identification; identity; infrastructure; model; Personal Identity Verification; PIV; public key infrastructure;

PKI; validation; verification.

Family Access Control; Identification & Authentication; Planning; System & Communication Protection

Abstract This Standard specifies the architecture and technical requirements for a common identification standard for Federal employees and

contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed

identity of individuals seeking physical access to Federally controlled government facilities and logical access to government information

systems.

The Standard contains the minimum requirements for a Federal personal identity verification system that meets the control and security

objectives of Homeland Security Presidential Directive-12 [HSPD-12], including identity proofing, registration, and issuance. The

Standard also provides detailed specifications that will support technical interoperability among PIV systems of Federal departments

and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve

identity credentials from the card. The physical card characteristics, storage media, and data elements that make up identity credentials

are specified in this Standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are

specified in Special Publication 800-73, Interfaces for Personal Identity Verification. The interfaces and data formats of biometric

information are specified in Special Publication 800-76, Biometric Specifications for Personal Identity Verification. The requirements for

cryptographic algorithms are specified in Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity

Verification. The requirements for the accreditation of the PIV Card issuers are specified in Special Publication 800-79, Guidelines for

the Accreditation of Personal Identity Verification Card Issuers. The unique organizational codes for Federal agencies are assigned in

Special Publication 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations. The requirements for card

readers are specified in Special Publication 800-96, PIV Card to Reader Interoperability Guidelines. The format for encoding the chain-

of-trust for import and export is specified in Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export.

The requirements for issuing PIV derived credentials are specified in Special Publication 800-157, Guidelines for Derived Personal

Identity Verification (PIV) Credentials.

This Standard does not specify access control policies or requirements for Federal departments and agencies.




DRAFT FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions


Keyword computer security; cryptography; extendable-output function; Federal Information Processing Standard; hash algorithm;

hash function; information security; KECCAK; message digest; permutation; SHA-3; sponge construction; sponge

function; XOF

Family

of 118



Abstract DRAFT FIPS 202 This Standard specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data. Each of the SHA-3

functions is based on an instance of the KECCAK algorithm that NIST selected as the winner of the SHA-3 Cryptographic

Hash Algorithm Competition. This Standard also specifies the KECCAK-p family of mathematical permutations, including

the permutation that underlies KECCAK, in order to facilitate the development of additional permutation-based

cryptographic functions.

The SHA-3 family consists of four cryptographic hash functions, called SHA3-224, SHA3-256, SHA3-384, and SHA3-512,

and two extendable-output functions (XOFs), called SHAKE128 and SHAKE256.

Hash functions are components for many important information security applications, including 1) the generation and

verification of digital signatures, 2) key derivation, and 3) pseudorandom bit generation. The hash functions specified in

this Standard supplement the SHA-1 hash function and the SHA-2 family of hash functions that are specified in FIPS 180-

4, the Secure Hash Standard.

Extendable-output functions are different from hash functions, but it is possible to use them in similar ways, with the

flexibility to be adapted directly to the requirements of individual applications, subject to additional security considerations.

Legal


Final NISTIR 4734 2/1/1992 Foundations of a Security Policy for Use of the National Research and Educational Network

Topic

Keyword computer security policy; High-Performance Computing and Communication; HPCC; National Research and Educational

Network; NREN

Family

Abstract The National Research and Education Network (NREN) is an integral part of the planned HighPerformance Computing

and Communication (HPCC) infrastructure that will extend throughout the scientific, technical and education communities.

The projected vision is one of desks and laboratory benches as entry points to a nation-wide electronic network of

information technologies with shared access to services and resources such as high-performance computing systems,

specialized software tools, databases, scientific instruments, digital libraries, and other research facilities.

The purpose of this report is to explore the foundations of a security policy and propose a security policy for the NREN,

one that is applicable to and identifies responsibilities of all major network constituents: end users, system administrators,

management at all levels, vendors, system developers, service providers, and the Federal Networking Council.

Legal

Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4734

Final NISTIR 4749 6/26/1992 Sample Statements of Work for Federal Computer Security Services: For use In-House or Contracting Out

Topic

Keyword

Family

of 118



Abstract Final NISTIR 4749 6/26/1992 Each federal organization is fully responsible for its computer

security program whether the security program is performed by in-

house staff or contracted out. Time constraints, budget

constraints, availability or expertise of staff, and the

potential knowledge to be gained by the organization from an

experienced contractor are among the reasons a federal

organization may wish to get external assistance for some of

these complex, labor intensive activities.

An interagency working group of federal and private sector

security specialists developed this document. The document

presents the ideas and experiences of those involved with

computer security. It supports the operational field with a set

of Statements of Works (SOWs) describing significant computer

security activities. While not a substitute for good computer

security management, organization staff and government

contractors can use these SOWs as a basis for a common

understanding of each described activity. The sample SOWs can

foster easier access to more consistent, high-quality computer

security services. The descriptions apply to contracting for

services or obtaining them from within the organization.

Legal


Final NISTIR 4939 10/1/1992 Threat Assessment of Malicious Code and External Attacks

Topic

Keyword

Family

Abstract As a participant in the U. S. Army Computer

Vulnerability/Survivability Study Team, the National Institute of

Standards and Technology has been tasked with providing an

assessment of the threats associated with commercial hardware and

software. This document is the second and final deliverable under

the Military Interdepartmental Purchase Request number:

W43P6Q-92-EW138. This report provides an assessment of the threats

associated with malicious code and external attacks on systems

using commercially available hardware and software. The history of

the threat is provided and current protection methods described. A

projection of the future threats for both malicious code and human

threats is also given.

Legal


Final NISTIR 4976 11/1/1992 Assessing Federal and Commercial Information Security Needs

Topic

Keyword

Family

of 118



Abstract Final NISTIR 4976 11/1/1992 In a cooperative effort with government and industry, the National Institute of Standards and Technology (NIST)

conducted a study to assess the current and future information technology (IT) security needs of the commercial, civil,

and military sectors. The primary objectives of the study were to: a) determine a basic set of information protection

policies and control objectives that pertain to the secure processing needs of organizations within all sectors; and b)

identify protection requirements and technical approaches that are used, desired or sought so they can be

considered for future federal standards and guidelines. The findings of this study address the basic security needs of IT

product users, including system developers, end users, administrators, and evaluators. Security needs

have been identified based on actual existing and well-understood security organizational practices.

Legal


Final NISTIR 5153 3/1/1993 Minimum Security Requirements for Multi-User Operating Systems

Topic

Keyword

Family

Abstract [NOTE: THIS DOCUMENT HAS BEEN SUPERSEDED BY THE FEDERAL CRITERIA.]

The Minimum Security Requirements for Multi-User Operating Systems (MSR)

document provides basic commercial computer system security requirements

applicable to both government and commercial organizations. These

requirements include technical measures that can be incorporated into multi-

user, remote-access, resource-sharing, and information-sharing computer

systems. The MSR document was written from the prospective of protecting the

confidentiality and integrity of an organization's resources and promoting the

continual availability of these resources. The MSR presented in this document

form the basis for the commercially oriented protection profiles in Volume II

of the draft Federal Criteria for Information Technology Security document

(known as the Federal Criteria). The Federal Criteria is currently a draft

and supersedes this document.

The MSR document has been developed by the MSR Working Group of the Federal

Criteria Project under National Institute of Standards and Technology (NIST)

leadership with a high level of private sector participation. Its contents

are based on the Trusted Computer System Evaluation Criteria (TCSEC) C2

criteria class, with additions from current computer industry practice and

commercial security requirements specifications.

Legal


Final NISTIR 5232 5/1/1993 Report of the NSF/NIST Workshop on NSFNET/NREN Security, July 6-7, 1992

Topic

Keyword computer security policy; High-Performance Computing and Communication; HPCC; National Research and Educational

Network; NREN

Family

of 118



Abstract Final NISTIR 5232 5/1/1993 The Workshop on NSFNET/NREN Security was hosted by NIST and sponsored by NSF to address the need for

improving the security of national computer networks. Emphasis was on identifying off-the-shelf security technology that

could be implemented in the NSF Network, especially to control access to the super computer on the network. The report

sections reflect the workshop sessions that related security aspects of distributed networks: authentication, access

control, applications security and security management. A final section details workshop recommendations.

Legal

Link

Final NISTIR 5234 10/1/1993 Report of the NIST Workshop on Digital Signature Certificate Management, December 10-11, 1992

Topic

Keyword certificate management; certificate revocation lists; public key certificate; X.509 certificates

Family

Abstract The purpose of the workshop, held at the National Institute of Standards and Technology (NIST) on December 10-11,

1992, was to review the existing and required technologies for digital signature certification authorities, and to develop

recommendations for certificate contents, formats, generation, distribution and storage. The results of the workshop will be

provided to MITRE Corporation as input to the federally sponsored study of signature certification authorities. Invited

participants represented various constituencies including the Federal Government, commercial organizations, standards

organizations, and internationsl interests. This report includes a summary of the presentations and copies of slides for

nine of the presentations.

Legal

Link

Final NISTIR 5308 12/1/1993 General Procedures for Registering Computer Security Objects

Topic

Keyword

Family

Abstract The primary purpose of this register is to specify names that

uniquely identify Computer Security Objects (CSOs). Unique names

can be used to reference objects during the negotiation of

security services for a transaction or application. The register

is also a repository of parameters associated with the registered

object.

Legal


Final NISTIR 5468 6/1/1994 Report of the NIST Workshop on Key Escrow Encryption

Topic

Keyword cryptography; Escrowed Encryption Standard (EES); key escrow; SKIPJACK algorithm; telecommunications

Family

of 118



Abstract Final NISTIR 5468 6/1/1994 On June 10, 1994, the National Institute of Standards and Technology (NIST) hosted a one-day workshop to present and

discuss key escrow encryption technology, including the recently-approved Escrowed Encryption Standard (EES), Federal

Information Processing Standard (FIPS) Publication 185. Speakers from government and industry presented the

objectives of key escrow encryption, its current method, several alternative methods for key escrow encryption, system

integrity requirements, international aspects of key escrowing, and future directions.

Legal

Link

Final NISTIR 5472 3/1/1994 A Head Start on Assurance: Proceedings of an Invitational Workshop on Information Technology (IT) Assurance and

Trustworthiness, March 21-23, 1994

Topic Conferences & Workshops

Keyword

Family

Abstract The purpose of the Invitational Workshop on Information Technology (IT) Assurance and Trustworthiness was to identify

crucial issues on assurance in IT systems and to provide input into the development of policy guidance on determining the

type and level of assurance appropriate in a given environment. The readers of these proceedings include those who

handle sensitive information involving national security, privacy, commercial value, integrity, and availability.

Existing IT security policy guidance is based on computer and communications architectures of the early 1980s.

Technological changes since that time mandate a review and revision of policy guidance on assurance and

trustworthiness, especially since the changes encompass such technologies as distributed systems, local area networks,

the worldwide Internet, policy-enforcing applications, and public key cryptography.

Legal


Final NISTIR 5495 9/1/1994 Computer Security Training & Awareness Course Compendium

Topic

Keyword

Family

Abstract [Compendium of computer security courses offered circa 1994]

Legal


Final NISTIR 6390 9/1/1999 Randomness Testing of the Advanced Encryption Standard Candidate Algorithms

Topic Cryptography

Keyword Advanced Encryption Standard (AES); random number generators; randomness; statistical tests

Family

Abstract One of the criteria used to evaluate the Advanced Encryption Standard candidate algorithms was their demonstrated

suitability as random number generators. That is, the evaluation of their output utilizing statistical tests should not provide

any means by which to computationally distinguish them from a truly random source. This internal report lists several

characteristics which an encryption algorithm exhibiting random behavior should possess, describes how the output for

each candidate algorithm was evaluated for randomness, discusses what has been learned utilizing the NIST statistical

tests, and finally provides an interpretation of the results.

Legal

of 118



Link Final NISTIR 6390 9/1/1999 http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6390

Final NISTIR 6416 10/1/1999 Applying Mobile Agents to Intrusion Detection and Response

Topic Incident Response

Keyword intrusion detection; intrusion response; mobile agents

Family

Abstract Effective intrusion detection capability is an elusive goal, not solved easily or with a single mechanism. However, mobile

agents go a long way toward realizing the ideal behavior desired in an Intrusion Detection System (IDS). This report is an

initial foray into the relatively unexplored terrain of using Mobile Agents for Intrusion Detection Systems (MAIDS). It

suggests a number of innovative ways to apply agent mobility to address shortcomings of current IDS designs and

implementations, and explores several new paradigms involving mobile agents. The report looks not only at the benefits

derived from mobility, but also those inherent to agent technology, such as autonomous components. We explore these

benefits in some detail and propose specific research topics in both the intrusion detection and intrusion response areas.

We also discuss performance advantages and disadvantages that occur when using mobile agents in intrusion detection

and response. The report concludes with a rating of the proposed research topics, falling under three main areas:

performance enhancements, design improvements, and response improvements.

Legal


Final NISTIR 6462 12/1/1999 CSPP - Guidance for COTS Security Protection Profiles (Formerly: CS2 - Protection Profile Guidance for Near-Term

COTS) Version 1.0


Keyword Commercial Off-The-Shelf products; Common Criteria; COTS; networked information systems; operating systems;

Protection Profile

Family

Abstract CSPP provides the guidance necessary to develop compliant Common Criteria protection profiles for near-term,

achievable, security baselines using commercial off-the-shelf (COTS) information technology. CSPP accomplishes this

purpose by:--describing a largely policy-neutral, notional information system in the format of a protection profile (PP); --

specifying a subset of the common criteria to be used in developing compliant protection profiles; --providing the basis for

refining----policy-neutral guidance into specific policy requirements; and --system security threats, objectives, and

requirements into a subset which is appropriate for a specific PP. CSPP provides the requirements necessary to specify

needs for both stand-alone and distributed, multi-user information systems. This covers general-purpose operating

systems, database management systems, and other applications.

Legal


Final NISTIR 6483 4/1/2000 Randomness Testing of the Advanced Encryption Standard Finalist Candidates

Topic Cryptography

Keyword Advanced Encryption Standard (AES); random number generators; randomness; statistical tests

Family

of 118



Abstract Final NISTIR 6483 4/1/2000 Mars, RC6, Rijndael, Serpent and Twofish were selected as finalists for the Advanced Encryption Standard (AES). To

evaluate the finalists’ suitability as random number generators, empirical statistical testing is commonly employed.

Although it widely believed that these five algorithms are indeed random, randomness testing was conducted to show that

there is empirical evidence supporting this belief. In this paper, NIST reports on the studies that were conducted on the

finalists for the 192-bit key size and 256-bit key size. The results to date suggest that all five of the finalists appear to be

random.

Legal


Final NISTIR 6529-A 4/5/2004 Common Biometric Exchange Formats Framework (CBEFF)

Topic Biometrics

Keyword biometrics; biometric data format; biometric data elements; biometric data exchange; biometric technologies; data

interchange; interoperability, nested structure.

Family

Abstract The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric

technologies in a common way. These data elements can be placed in a single file used to exchange biometric information between

different system components or between systems. The result promotes interoperability of biometric-based application programs and

systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version

of the original CBEFF, the Common Biometric Exchange File Format, published as NISTIR 6529. In addition to the name change, which

reflects more accurately the scope of the specification, NISTIR 6529-A incorporates new features such as a CBEFF nested structure in

order to support multiple biometric data types (e.g., finger, face and voice) and/or multiple biometric data blocks of the same biometric

type (e.g., finger biometric data blocks from more than one finger) within a CBEFF data structure, a Biometric Feature to further define

the type of biometric data being placed in the file, a Validity Period for that data, an expanded definition of the Creator field which now

specifies a Product Identifier, and Index Field associated with a specific instance of biometric reference data, a Challenge-Response

field and a Payload field. NISTIR 6529-A also defines two new CBEFF Formats, biometric data objects for use within smart cards and

other tokens and a simple root header for use in domains where more than one Patron Format, simple or nested, may be encountered.

Legal

Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6529-A

Final NISTIR 6887 2003 Edition7/16/2003 Government Smart Card Interoperability Specification, Version 2.1

Topic Biometrics; Planning; Services & Acquisitions; Smart Cards

Keyword government smart card program; smart access common identification card contract; smart card; smart card interoperability

Family

Abstract This Government Smart Card Interoperability Specification (GSC-IS) provides solutions to a number of the interoperability

challenges associated with smart card technology. The original version of the GSC-IS (version 1.0, August 2000) was

developed by the GSC Interoperability Committee led by the General Services Administration (GSA) and the National

Institute of Standards and Technology (NIST), in association with the GSA Smart Access Common Identification Card

contract.

Legal


Final NISTIR 6981 4/1/2003 Policy Expression and Enforcement for Handheld Devices

Topic Audit & Accountability; Incident Response; Planning; Risk Assessment

Keyword digital certificates; handheld devices; PDA; Personal Digital Assistant; security policy; trust management

Family

of 118



Abstract Final NISTIR 6981 4/1/2003 The use of mobile handheld devices, such as Personal Digital Assistants (PDAs) and tablet computers, within the

workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters,

but instead have become indispensable tools that offer competitive business advantages for the mobile workforce. While

providing productivity benefits, the ability of these devices to store and transmit corporate information through both wired

and wireless networks poses potential risks to an organization’s security. This paper describes a framework for managing

user privileges on handheld devices. The approach is aimed at assisting enterprise security officers in administering and

enforcing group and individual security policies for PDAs, and helping constrain users to comply automatically with their

organization’s security policy. Details of a proof-of-concept implementation of the framework are also provided.

Legal


Final NISTIR 6985 4/1/2003 COTS Security Protection Profile - Operating Systems (CSPP-OS) (Worked Example Applying Guidance of NISTIR-6462,

CSPP) Version 1.0


Keyword Commercial Off-The-Shelf products; Common Criteria; COTS; operating systems; Protection Profile

Family

Abstract CSPP-OS provides a worked example of the guidance in NISTIR-6462 for the development of Common Criteria Protection

Profiles for commercial off the shelf (COTS) information technology. The intended audience consists of those individuals

and organizations in both government and private sectors who are tasked with the responsibility to develop or review

Protection Profiles. This document is presented as a protection profile, followed by a rationale that is structured as a

separate document. This format was selected to facilitate using this guidance as a template for the development of

Protection Profiles.

Legal


Final NISTIR 7007 7/11/2003 An Overview of Issues in Testing Intrusion Detection Systems

Topic Research

Keyword IDS performance measurement methodology, intrusion detection system (IDS), quantitative testing of IDSs

Family

Abstract While intrusion detection systems are becoming ubiquitous defenses in today's networks, currently we have no

comprehensive and scientifically rigorous methodology to test the effectiveness of these systems. This paper explores the

types of performance measurements that are desired and that have been used in the past. We review many past

evaluations that have been designed to assess these metrics. We also discuss the hurdles that have blocked successful

measurements in this area and present suggestions for research directed toward improving our measurement capabilities.

Legal


Final NISTIR 7030 7/1/2003 Picture Password: A Visual Login Technique for Mobile Devices

Topic Authentication

Keyword authentication; handheld devices; mobile devices; PDA; Personal Digital Assistant; visual login

Family

of 118



Abstract Final NISTIR 7030 7/1/2003 Adequate user authentication is a persistent problem, particularly with handheld devices, which tend to be highly personal

and at the fringes of an organization's influence. Yet, these devices are being used increasingly in corporate settings

where they pose a security risk, not only by containing sensitive information, but also by providing the means to access

such information over wireless network interfaces. User authentication is the first line of defense against a lost or stolen

PDA. However, motivating users to enable simple PIN or password mechanisms and periodically update their

authentication information is a constant struggle. This paper describes a means to authenticate a user to a PDA using a

visual login technique called Picture Password. The underlying rationale is that a method for login based on visual image

selection is an easy and natural way for users to authenticate, removing the most serious barriers to users' compliance

with corporate policy. While the technique was designed specifically for handheld devices, it is also suitable for

notebooks, workstations, and other computational devices.

Legal


Final NISTIR 7046 8/1/2003 A Framework for Multi-mode Authentication: Overview and Implementation Guide

Topic Authentication; Communications & Wireless; Cryptography

Keyword authentication; MAF; mobile devices; Multi-mode Authentication Framework; PDA; Personal Digital Assistant; security

policy

Family

Abstract The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as

coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive

business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks

to an organization's security. Enabling adequate user authentication is the first line of defense against unauthorized use of

a lost or stolen handheld device. Multiple modes of authentication increase the work factor needed to attack a device,

however, few devices support more than one mode, usually password-based authentication. This report describes a

general Multi-mode Authentication Framework (MAF) for applying organizational security policies, organized into distinct

policy contexts known as echelons, among which a user may transition. The approach is aimed at helping users easily

comply with their organization's security policy, yet be able to exercise a significant amount of flexibility and discretion.

The design of the framework allows various types of authentication technologies to be incorporated readily and provides a

simple interface for supporting different types policy enforcement mechanisms. Details of the implementation of the

framework are provided, as well as two example authentications mechanisms.

Legal


Final NISTIR 7056 3/1/2004 Card Technology Developments and Gap Analysis Interagency Report

Topic Biometrics; Research; Smart Cards

Keyword access cards; identification cards; smart cards; storage cards

Family

Abstract This Card Technology Developments and Gap Analysis Interagency Report (IR) provides information regarding current

technical capabilities and limitations of storage and processor cards, current user requirements for individual and

integrated technologies, and major impediments to technology exploitation. The report also identifies existing standards

governing card technologies.

Legal


Final NISTIR 7100 8/1/2004 PDA Forensic Tools: an Overview and Analysis

of 118



Topic Final NISTIR 7100 8/1/2004 Forensics; Incident Response; Services & Acquisitions

Keyword computer forensics; forensic software; forensic toolkits; PDA; Personal Digital Assistant

Family

Abstract Adequate user authentication is a persistent problem, particularly with mobile devices such as Personal Digital Assistants

(PDAs), which tend to be highly personal and at the fringes of an organization's influence. Yet these devices are being

used increasingly in military and government agencies, hospitals, and other business settings, where they pose a risk to

security and privacy, not only from sensitive information they may contain, but also from the means they typically offer to

access such information over wireless networks. User authentication is the first line of defense for a mobile device that

falls into the hands of an unauthorized individual. However, motivating users to enable simple PIN or password

mechanisms and periodically update their authentication information is difficult at best. This paper describes a general-

purpose mechanism for authenticating users through image selection. The underlying rationale is that image recall is an

easy and natural way for users to authenticate, removing a serious barrier to users' compliance with corporate policy. The

approach described distinguishes itself from other attempts in this area in several ways, including style-dependent image

selection, password reuse, and embedded salting, which collectively overcome a number of problems in employing

knowledge-based authentication on mobile devices.

Legal


Final NISTIR 7111 4/30/2004 Computer Security Division 2003 Annual Report


Keyword computer security; computer security awareness;computer security division; computer security guidance; computer

security research; cryptographic standards; cyber security; FISMA; IT security; security testing and metrics

Family

Abstract This report covers the work conducted within the National Institute of Standards and Technology's Computer Security

Division during the Fiscal Year 2003. It discusses all projects and programs within the Division, staff highlights, and

publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the

Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information

technology (IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of

information technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the

Federal Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of

2002. Beyond the role to serve the Federal Agencies under FISMA, CSD standards and guidelines are often voluntarily

used by U.S. industry, global industry, and foreign governments as sources of information and direction for securing

information systems. CSD's research also contributes to securing the Nation's critical infrastructure systems. Moreover,

the Division has an active role in both national and international standards organizations in promoting the interests of

security and U.S. industry.

Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the

Previous Year


Final NISTIR 7200 6/1/2005 Proximity Beacons and Mobile Device Authentication: an Overview and Implementation

Topic Authentication; Research

Keyword authentication; Bluetooth; mobile devices; MAF; Multi-mode Authentication Framework; organizational beacon; PAN;

Personal Area Network; personal beacon; proximity beacon

Family

of 118



Abstract Final NISTIR 7200 6/1/2005 The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as



to an organization's security by the information they contain or can access remotely. Enabling adequate user

authentication is the first line of defense against unauthorized use of an unattended, lost, or stolen handheld device. This

report describes an innovative type of authentication mechanism that relies on the presence of a signal from a wireless

beacon for access to be granted. Such proximity beacons can be either organizational or personal oriented, and require

only that handheld devices support a common standard wireless interface for Personal Area Network (PAN)

communications, such as Bluetooth. Details of the design and implementation for both personal and organizational

proximity beacons are provided.

Legal


Final NISTIR 7206 7/1/2005 Smart Cards and Mobile Device Authentication: an Overview and Implementation

Topic Authentication; Biometrics; Communications & Wireless; Cryptography; Smart Cards

Keyword authentication; Bluetooth; mobile devices; MAF; Multi-mode Authentication Framework; smart cards; Smart Multi-Media

Card; SMMC

Family

Abstract The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as



to an organization's security by the information they contain or can access remotely. Enabling adequate user

authentication is the first line of defense against unauthorized use of an unattended, lost, or stolen handheld device.

Smart cards have long been the choice of authentication mechanism for many organizations; however, few handheld

devices easily support readers for standard-size smart cards. This report describes two novel types of smart cards that

use standard interfaces supported by handheld devices, avoiding use of the more cumbersome standard-size smart card

readers. These solutions are aimed at helping organization apply smart cards for authentication and other security

services. Details of the design and implementation are provided.

Legal




Keyword computer security; computer security awareness;computer security division; computer security guidance; computer

security research; cryptographic standards; cyber security; FISMA; IT security; security testing and metrics

Family

of 118



Abstract Final NISTIR 7219 4/15/2005 This report covers the work conducted within the National Institute of Standards and Technology's Computer Security

Division during Fiscal Year 2004. It discusses all projects and programs within the Division, staff highlights, and


Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information

technology, initially focused principally on mainframe computers, to now encompass today's wide gamut of information

technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the Federal

Information Security Management Act of 2002 (FIMSA) and the Cyber Security Research and Development Act of 2002.

Beyond the role to serve the Federal agencies under FISMA, CSD standards and guidelines are often voluntarily used by

U.S. industry, global industry, and foreign governments as sources of information and direction for securing information

systems. CSD's research also contributes to securing the nation s critical infrastructure systems. Moreover, the Division

has an active role in both national and international standards organizations in promoting the interests of security and U.S.

industry.


Previous Year


Final NISTIR 7224 8/1/2005 4th Annual PKI R&D Workshop "Multiple Paths to Trust" Proceedings

Topic Conferences & Workshops; PKI; Research

Keyword authentication; Certificate Authority (CA); interoperability; Public Key Cryptography (PKC); Public Key Infrastructure (PKI);

security; signatures; trust mechanisms; validation

Family

Abstract NIST hosted the fourth annual Public Key Infrastructure (PKI) Research Workshop on April 19-21, 2005. The two and a

half day event brought together PKI experts from academia, industry, and government to explore the remaining challenges

in deploying public key authentication and authorization technologies. This proceedings includes the 17 refereed papers,

and captures the essence of the six panels and interaction at the workshop. The workshop also included a work-in-

progress session and a birds-of-a-feather session during the evenings at the workshop hotel. Attendees included

presenters from the United Kingdom, Canada, New Zealand, and Japan. Due to the success of this event, a fifth workshop

is planned for April 4-6, 2006.

Legal


Final NISTIR 7250 10/19/2005 Cell Phone Forensic Tools: an Overview and Analysis

Topic Forensics; Incident Response; Services & Acquisitions

Keyword cell phone forensics; cell phones; computer forensics; mobile devices

Family

of 118



Abstract Final NISTIR 7250 10/19/2005 Cell phones and other handheld devices incorporating cell phone capabilities (e.g., Personal Digital Assistant (PDA) phones) are

ubiquitous. Rather than just placing calls, certain phones allow users to perform additional tasks such as SMS (Short Message Service)

messaging, Multi-Media Messaging Service (MMS) messaging, IM (Instant Messaging), electronic mail, Web browsing, and basic PIM

(Personal Information Management) applications (e.g., phone and date book). PDA phones, often referred to as smart phones, provide

users with the combined capabilities of both a cell phone and a PDA. In addition to network services and basic PIM applications, one

can manage more extensive appointment and contact information, review electronic documents, give a presentation, and perform other

tasks.

All but the most basic phones provide individuals with some ability to load additional applications, store and process personal and

sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As

digital technology evolves, the capabilities of these devices continue to improve rapidly. When cell phones or other cellular devices are

involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of

information present on the device. This report gives an overview of current forensic software, designed for acquisition, examination, and

reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations.

Legal


Final NISTIR 7275 Rev. 31/1/2008 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4

Topic Audit & Accountability; Maintenance; Security Automation

Keyword benchmarks; checklists; eXtensible Configuration Checklist Description Format; FISMA; security controls; vulnerabilities;

XCCDF

Family Audit & Accountability; Configuration Management; Maintenance

Abstract This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible

Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of

security configuration rules for some set of target systems. The XCCDF specification is designed to support information

interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance

scoring. The specification also defines a data model and format for storing results of security guidance or checklist

compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other

configuration guidance, and thereby foster more widespread application of good security practices.

Legal

Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-Rev.%203

7275 Rev. 49/30/2011 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2

Topic Audit & Accountability; Maintenance; Security Automation

Keyword benchmarks; checklists; eXtensible Configuration Checklist Description Format; FISMA; security controls; vulnerabilities;

XCCDF

Family Audit & Accountability; Configuration Management; Maintenance

Abstract This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible

Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of

security configuration rules for some set of target systems. The XCCDF specification is designed to support information

interchange, document generation, organizational and situational tailoring, automated compliance testing, and scoring.

The specification also defines a data model and format for storing results of security guidance or checklist testing. The

intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance,

and thereby foster more widespread application of good security practices.

Legal

of 118



Link Final NISTIR 7275 Rev. 49/30/2011 http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-Rev.%204

Final NISTIR 7284 1/6/2006 Personal Identity Verification Card Management Report

Topic Audit & Accountability; Awareness & Training; Biometrics; Maintenance; Personal Identity Verification (PIV); Planning;

Services & Acquisitions; Smart Cards

Keyword authentication; card management systems; Homeland Security Presidential Directive 12; Personal Identity Verification;

PIV; smart cards

Family

Abstract NIST Special Publication 800-73 (http://piv.nist.gov) provides technical specifications for Personal Identity Verification

(PIV) cards. However, it does not contain a complete card management specification for PIV systems. This Report

provides an overview of card management systems, identifies generic card management requirements, and considers

some technical approaches to filling the existing gaps in PIV card management. The primary guiding principle in selecting

technical approaches for consideration is that they require no changes to the existing PIV specifications.






Keyword annual report; computer security; computer security awareness; Computer Security Division; computer security guidance;

computer security research; cryptographic standards; cyber security; IT security; security testing and metrics

Family




Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology

(IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of information

technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the Federal

Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of 2002.

Beyond the role to serve the Federal Agencies under FISMA, CSD standards and guidelines are often voluntarily used by


systems. CSD's research also contributes to securing the nation?s critical infrastructure systems. Moreover, the Division

has an active role in both national and international standards organizations in promoting the interests of security and U.S.

industry.


Previous Year


Final NISTIR 7290 3/1/2006 Fingerprint Identification and Mobile Handheld Devices: An Overview and Implementation

Topic Authentication; Biometrics

Keyword authentication; biometrics; fingerprint identification; mobile devices

Family

of 118



Abstract Final NISTIR 7290 3/1/2006 The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as



to an organization’s security by the information they contain or can access remotely.

Enabling adequate user authentication is the first line of defense against unauthorized use of an unattended, lost, or

stolen handheld device. This report describes using fingerprint identification on handheld devices. Two types of solutions

are described: one that uses the computational capabilities of the handheld device to authenticate a user’s fingerprints,

the other that uses the computational capabilities of a specialized processor to offload processing by the handheld device.

Details of the design and implementation of both solutions are provided.

Legal


Final NISTIR 7298 Rev. 25/31/2013 Glossary of Key Information Security Terms


Keyword Cyber Security; Definitions; Glossary; Information Assurance; Information Security; Terms

Family

Abstract The National Institute of Standards and Technology (NIST) has received numerous requests to provide a summary

glossary for our publications and other relevant sources, and to make the glossary available to practitioners. As a result of

these requests, this glossary of common security terms has been extracted from NIST Federal Information Processing

Standards (FIPS), the Special Publication (SP) 800 series, NIST Interagency Reports (NISTIRs), and from the Committee

for National Security Systems Instruction 4009 (CNSSI-4009). This glossary includes most of the terms in the NIST

publications. It also contains nearly all of the terms and definitions from CNSSI-4009. This glossary provides a central

resource of terms and definitions most commonly used in NIST information security publications and in CNSS information

assurance publications. For a given term, we do not include all definitions in NIST documents – especially not from the

older NIST publications. Since draft documents are not stable, we do not refer to terms/definitions in them.

Each entry in the glossary points to one or more source NIST publications, and/or CNSSI-4009, and/or supplemental

sources where appropriate. The NIST publications referenced are the most recent versions of those publications (as of the

date of this document).

Legal


Final NISTIR 7313 7/18/2006 5th Annual PKI R&D Workshop "Making PKI Easy to Use" Proceedings

Topic Conferences & Workshops; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart

Cards


security; signatures; validation

Family Access Control; Identification & Authentication; System & Services Acquisition

of 118



Abstract Final NISTIR 7313 7/18/2006 NIST hosted the fifth annual Public Key Infrastructure (PKI) Research Workshop on April 4-6, 2006. The two and a half

day event brought together PKI experts from academia, industry, and government to explore the remaining challenges in

deploying public key authentication and authorization technologies. This proceedings includes the 7 refereed papers, and

captures the essence of the keynote, four invited talks, five panels and interaction at the workshop. The workshop also

included a work-in-progress session and, new this year, an informal rump session. Attendees included presenters from

the USA, United Kingdom, Israel, Australia, Norway, Sweden, Germany and Canada. Due to the success of this event, a

sixth workshop is planned for Spring 2007.

Legal


Final NISTIR 7316 9/29/2006 Assessment of Access Control Systems

Topic Audit & Accountability; Planning; Risk Assessment

Keyword access control; authentication; authorization; Discretionary Access Control; Non-Discretionary Access Control; RBAC;

Role-Based Access Control; Rule-Based Access Control; security metrics; XML-Based Access Control

Family

Abstract Access control is perhaps the most basic aspect of computer security. Nearly all applications that deal with financial,

privacy, safety, or defense include some form of access control. In many systems access control takes the form of a

simple password mechanism, but many require more sophisticated and complex control. In addition to the authentication

mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases,

authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various

documents and the security level of the user accessing those documents. This publication explains some of the most

commonly used access control services available in information technology systems, their structure, where they are likely

to be used, and advantages and disadvantages of each.




DRAFT NISTIR 7328 9/29/2007 Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment

Credentialing Program for Federal Information Systems


Keyword


of 118



Abstract DRAFT NISTIR 7328 9/29/2007 This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability

to conduct information system security control assessments in accordance with NIST standards and guidelines. This

report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which

security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is

to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe

important for security assessment providers to demonstrate competence for a credentialing program. Based on comments

received NIST will update and republish this report and use it as reference in further development of a credentialing

program for security assessment providers. Security assessments involve the comprehensive assessment of the

management, operational, and technical security controls in federal information systems to determine the extent to which

the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting

the security requirements for the system.




Final NISTIR 7337 8/31/2006 Personal Identity Verification Demonstration Summary

Topic Personal Identity Verification (PIV)

Keyword CRADA; Cooperative Research and Development Agreement; demonstration project; FIPS 201; Personal Identity

Verification; PIV

Family

Abstract This paper provides a summary of the NIST Personal Identity Verification (PIV) Demonstration. The PIV Demonstration

took place from May 15 to June 14, 2006. Forty-four companies voluntarily participated through a Cooperative Research

and Development Agreement (CRADA). The purpose of the demonstration was to show proof of concept and

interoperability demonstrations of commercially available products that support FIPS 201 and the accompanying Special

Publications. The results are summarized by product category.




Final NISTIR 7358 1/1/2007 Program Review for Information Security Management Assistance (PRISMA)

Topic Audit & Accountability; General IT Security; Planning

Keyword action plan; evaluation; inspections; maturity level; PRISMA; security issues; security reviews

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Planning

of 118



Abstract Final NISTIR 7358 1/1/2007 Several sources of guidance, policies, standards and legislative acts provide many requirements for the federal agencies

when protecting entrusted information. Various assessments, reviews, and inspections are an outcome of these

information security requirements to monitor federal agency compliance. The manner in which these monitoring

approaches are implemented may be very different, impacting agency resource constraints. The Federal Information

Security Management Act (FISMA) of 2002 charged NIST to provide technical assistance to agencies regarding

compliance with the standards and guidelines developed for securing information systems, as well as information security

policies, procedures, and practices. This Interagency Report provides an overview of the NIST Program Review for

Information Security Management Assistance (PRISMA) methodology. PRISMA is a tool developed and implemented by

NIST for reviewing the complex information security requirements and posture of a federal program or agency. This report

is provided as a framework for instructional purposes as well as to assist information security personnel, internal

reviewers, auditors, and agency Inspector General (IG) staff personnel.

Legal


Final NISTIR 7359 1/1/2007 Information Security Guide for Government Executives

Topic Awareness & Training; General IT Security; Planning

Keyword information security; information security program elements; security laws; security program; security regulations and

standards

Family Awareness & Training; Planning

Abstract Information Security Guide for Government Executives provides a broad overview of information security program concepts to assist

senior leaders in understanding how to oversee and support the development and implementation of information security programs.

Management is responsible for: (1) Establishing the organization's information security program; (2) Setting program goals and priorities

that support the mission of the organization; and (3) Making sure resources are available to support the security program and make it

successful. Senior leadership commitment to security is more important now than ever before. Studies have shown that senior

management's commitment to information security initiatives is the number one critical element that impacts an information security

program's success. Meeting this need necessitates senior leadership to focus on effective information security governance and support

which requires integration of security into the strategic and daily operations of an organization. When considering this challenge, five key

security questions emerge for the executive: (1) What are the information security laws, regulations, standards, and guidance that I need

to understand to build an effective security program? (2) What are the key activities to build an effective security program? (3) Why do I

need to invest in security? (4) Where do I need to focus my attention in accomplishing critical security goals? (5) Where can I learn more

to assist me in evaluating the effectiveness of my security program? This guide provides the answers to those questions.

Legal


Final NISTIR 7387 3/21/2007 Cell Phone Forensic Tools: an Overview and Analysis Update


Keyword cell phones; computer forensics; handheld devices; mobile devices


of 118



Abstract Final NISTIR 7387 3/21/2007 Cell phones and other handheld devices incorporating cell phone capabilities (e.g., Personal Digital Assistant (PDA) phones) are

ubiquitous. Rather than just placing calls, most phones allow users to perform additional tasks, including Short Message Service (SMS)

messaging, Multi-Media Messaging Service (MMS) messaging, Instant Messaging (IM), electronic mail, Web browsing, and basic

Personal Information Management (PIM) applications (e.g., phone and date book). PDA phones, often referred to as smart phones,

provide users with the combined capabilities of both a cell phone and a PDA. In addition to network services and basic PIM applications,

one can manage more extensive appointment and contact information, review electronic documents, give a presentation, and perform

other tasks.

All but the most basic phones provide individuals with some ability to load additional applications, store and process personal and

sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As

digital technology evolves, the existing capabilities of these devices continue to improve rapidly. When cell phones or other cellular

devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination

of information present on the device. This report provides an overview on current tools designed for acquisition, examination, and

reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations. It is a follow-on to

NISTIR 7250, "Cell Phone Forensic Tools: an Overview and Analysis", which focuses on tools that have undergone significant updates

since that publication or were not covered previously.

Legal




Keyword annual report; computer security; computer security awareness; Computer Security Division; computer security guidance;

computer security research; cryptographic standards; cyber security; IT security; security testing and metrics

Family




Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology

(IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of information

technology devices. CSD?s important responsibilities were re-affirmed by Congress with passage of the Federal

Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of 2002.

Beyond the role to serve the Federal agencies under FISMA, CSD standards and guidelines are often voluntarily used by


systems. CSD's research also contributes to securing the Nation's critical infrastructure systems. Moreover, CSD has an

active role in both national and international standards organizations in promoting the interests of security and U.S.

industry.


Previous Year


Final NISTIR 7427 9/13/2007 6th Annual PKI R&D Workshop "Applications-Driven PKI" Proceedings

Topic Conferences & Workshops; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart

Cards


security; signatures; validation

Family

of 118



Abstract Final NISTIR 7427 9/13/2007 NIST hosted the sixth Annual Public Key Infrastructure (PKI) Research Workshop on April 17-19, 2007. The two and a

half day event brought together PKI experts from academia, industry, and government had a particular interest in novel

approaches to simplifying the use and management of X.509 digital certificates, both within and across enterprises. This

proceedings includes the 9 refereed papers, and captures the essence of the keynote, four panels and interaction at the

workshop. The workshop also included a birds-of-a-feather session and an informal rump session. Attendees included

presenters from the USA, Canada, Brazil, Czech Republic, Israel, Japan, Singapore, Uganda, UK, and Japan. Due to the

success of this event, a seventh workshop is planned for Spring 2008.

Legal


Final NISTIR 7435 8/30/2007 The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems

Topic General IT Security; Security Automation; Viruses & Malware

Keyword Common Vulnerability Scoring System; CVSS; National Vulnerability Database; NVD; security metrics; vulnerability

scoring


Abstract The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics

and impacts of IT vulnerabilities. The National Vulnerability Database (NVD) provides specific CVSS scores for virtually all

publicly known vulnerabilities. Federal agencies can use the Federal Information Processing Standards (FIPS) 199

security categories with the NVD CVSS scores to obtain impact scores that are tailored to each agency's environment.

CVSS consists of three groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from

0.0 to 10.0, and a vector, a compressed textual representation that reflects the values used to derive the score. The Base

group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability

that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any

user's environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and

researchers to all benefit by adopting this common language of scoring IT vulnerabilities.

Legal




Keyword annual report; Computer Security Division; projects; highlights

Family

of 118



Abstract Final NISTIR 7442 4/1/2008 Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002,


year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a

component of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects

information systems against threats to the confidentiality, integrity, and availability of information and services. During

Fiscal Year 2007 (FY 2007), CSD successfully responded to numerous challenges and opportunities in fulfilling that

mission. Through CSD s diverse research agenda and engagement in many national priority initiatives, high-quality, cost-

effective security and privacy mechanisms were developed and applied that improved information security across the

federal government and the greater information security community. This annual report highlights the research agenda

and activities in which CSD was engaged during FY 2007.


Previous Year


Final NISTIR 7452 11/30/2007 Secure Biometric Match-on-Card Feasibility Report

Topic Authentication; Biometrics; Communications & Wireless; Cryptography; Personal Identity Verification (PIV); PKI; Smart

Cards

Keyword biometrics; feasibility study; FIPS 201; Match-on-Card; Personal Identity Verification; PIV

Family Access Control; System & Information Integrity

Abstract FIPS 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors," and its associated special

publications define a method to perform biometric match-off-card authentication of a PIV cardholder when the PIV card is

inserted into a contact smart card reader. Today, many smart cards, however, implement match-on-card technologies and

are desiged to perform cardholder authentication using contactless interface. Contactless match-on-card operation

requires additional security measures to ensure the transaction data is encrypted and can be securely transmitted, which

can impact performance. NIST conducted the Secure Biometric Match-on-Card (SBMOC) feasibility study to understand

the effects of security on performance. This report describes the tests that were conducted to obtain timing metrics for the

SBMOC feasibility study and provides a summary of the test results.

This feasibility study also allows NIST to explore smart card technology advancements for possible extension of the FIPS

201 and / or other smart card standards.




Final NISTIR 7497 9/30/2010 Security Architecture Design Process for Health Information Exchanges (HIEs)

Topic Planning; Research; Risk Assessment; Services & Acquisitions

Keyword Health Information Exchange; health IT; HIE; information security

Family Access Control; Planning; Risk Assessment; System & Services Acquisition

of 118



Abstract Final NISTIR 7497 9/30/2010 The purpose of this publication is to provide a systematic approach to designing a technical security architecture for the

exchange of health information that leverages common government and commercial practices and that demonstrates how

these practices can be applied to the development of HIEs. This publication assists organizations in ensuring that data

protection is adequately addressed throughout the system development life cycle, and that these data protection

mechanisms are applied when the organization develops technologies that enable the exchange of health information.

Legal Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security


Final NISTIR 7502 12/27/2010 The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities

Topic Risk Assessment; Security Automation

Keyword security configuration; security measurement; vulnerability measurement; vulnerability scoring

Family Configuration Management; Risk Assessment

Abstract The Common Configuration Scoring System (CCSS) is a set of measures of the severity of software security configuration

issues. CCSS is derived from the Common Vulnerability Scoring System (CVSS), which was developed to measure the

severity of vulnerabilities due to software flaws. CCSS can assist organizations in making sound decisions as to how

security configuration issues should be addressed and can provide data to be used in quantitative assessments of the

overall security posture of a system. This report defines proposed measures for CCSS and equations to be used to

combine the measures into severity scores for each configuration issue. The report also provides several examples of

how CCSS measures and scores would be determined for a diverse set of security configuration issues.

Legal


Final NISTIR 7511 Rev. 37/11/2013 Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements

Topic Certification & Accreditation (C&A); Security Automation

Keyword Security Content Automation Protocol (SCAP); SCAP derived test requirements (DTR); SCAP validated tools; SCAP

validation

Family Certification, Accreditation & Security Assessments; System & Services Acquisition

Abstract This report defines the requirements and associated test procedures necessary for products to achieve one or more

Security Content Automation Protocol (SCAP) validations. Validation is awarded based on a defined set of SCAP

capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary

Laboratory Accreditation Program (NVLAP).



Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7511-Rev.%203

Final NISTIR 7516 8/27/2008 Forensic Filtering of Cell Phone Protocols

Topic Forensics; Research

Keyword cell phones; computer forensics; phone managers; protocol filters

of 118



Family Final NISTIR 7516 8/27/2008 Audit & Accountability

Abstract Phone managers are non-forensic software tools designed to carry out a range of tasks for the user, such as reading and

updating the contents of a phone, using one or more of the communications protocols supported by the phone. Phone

managers are sometimes used by forensic investigators to recover data from a cell phone when no suitable forensic tool

is available. While precautions can be taken to preserve the integrity of data on a cell phone, inherent risks exist. Applying

a forensic filter to phone manager protocol exchanges with a device is proposed as a means to reduce risk.







Family

Abstract This annual report covers the work conducted within the National Institute of Standards and Technology's Computer

Security Division during Fiscal Year 2008. It discusses all projects and programs within the Division, staff highlights, and

publications.


Previous Year


Final NISTIR 7539 12/22/2008 Symmetric Key Injection onto Smart Cards

Topic Cryptography; Smart Cards

Keyword card authentication key; cryptographic key management; FIPS 201; HSPD-12; PACS; Personal Identity Verification;

Physcial Access Control Systems; PIV; smart cards


Abstract This paper describes architectures for securely injecting secret keys onto smart cards. Specifically, this paper details key

injection architectures based on the identity credentials available on the Personal Identify Verification (PIV) Card. The

primary goal is to create additional opportunities for the use of the PIV Card in Physical Access Control Systems (PACS).

There is significant interest in conducting a fast, accurate, and highly secured authentication transaction using symmetric

keys in PACS environments. This paper identifies ways to load site specific symmetric keys onto a PIV Card after the

card has been issued, which allows each smart card to share a unique secret key with each PACS with which it interacts.

The paper presents four protocols that enable a Card Management System (CMS) to securely load site-specific PACS

symmetric keys. Each protocol presents unique security characteristics and uses the PIV Card's card management key in

different capacities.

Legal


Final NISTIR 7559 6/30/2010 Forensics Web Services (FWS)

Topic Forensics; General IT Security; Research

Keyword accountable services; digital forensics; services oriented architecture; web services

Family

of 118



Abstract Final NISTIR 7559 6/30/2010 Web services are currently a preferred way to architect and provide complex services. This complexity arises due to the

composition of new services and dynamically invoking existing services. These compositions create service inter-

dependencies that can be misused for monetary or other gains. When a misuse is reported, investigators have to navigate

through a collection of logs to recreate the attack. In order to facilitate that task, we propose creating forensics web

services (FWS) that would securely maintain transactional records between other web services. These secure records

can be re-linked to reproduce the transactional history by an independent agency. In this report we show the necessary

components of a forensic framework for web services and its success through a case study.

Legal


Final NISTIR 7564 4/30/2009 Directions in Security Metrics Research

Topic General IT Security; Research; Risk Assessment

Keyword computer security; security evaluation; security metrics

Family Risk Assessment

Abstract More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and

understanding in physical science. During the last few decades, researchers have made various attempts to develop

measures and systems of measurement for computer security with varying degrees of success. This paper provides an

overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the

state of the art.

Legal


Final NISTIR 7581 9/30/2009 System and Network Security Acronyms and Abbreviations


Keyword network security; system security

Family

Abstract This report contains a list of selected acronyms and abbreviations for system and network security terms with their

generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system

and network security publications.

Legal


Final NISTIR 7601 8/31/2010 Framework for Emergency Response Official (ERO): Authentication and Authorization Infrastructure


Keyword authentication; authorization; emergency response officials; identity and attribute credentials; trusted tokens


of 118



Abstract Final NISTIR 7601 8/31/2010 This document describe a framework (with the acronym ERO-AA) for establishing an infrastructure for authentication and

authorization of Emergency Response officials (ERO) who respond to various types of man-made and natural disasters.

The population of individuals authenticated and authorized under ERO-AA infrastructure includes Federal Emergency

Response Officials (FEROs), State/Local/Tribal/Private Sector Emergency Response Officials (SLTP-EROs) and the

FEMA Disaster Reserve Workforce (DRW). The system supports the establishment, conveyance and validation of Identity

Credentials (ICs), Attribute Credentials (ATs) and Deployment Authorization Credentials (DAs). Apart from enumeration of

the types of EROs and their associated authority domains (called major players) and types of credentials, the

conceptualization of the framework for ERO-AA infrastructure includes detailed description of various component services

under three major service classes: Credentialing Service Class, Identity Verification and Attribute Validation Service Class

and Trust Federation Service Class.The framework is predicated upon the use of trusted tokens capable of supporting

biometric as well as secret key based identity authentication.

Legal


Final NISTIR 7609 1/8/2010 Cryptographic Key Management Workshop Summary June 8-9, 2009

Topic Conferences & Workshops; Cryptography; PKI

Keyword CKM; CKM System Design Framework; cryptographic key management; cryptographic security

Family

Abstract On June 8 and 9, 2009, NIST held a Cryptographic Key Management (CKM) Workshop at its Gaithersburg, Maryland,

campus that attracted approximately 80 people attending the workshop in person, with another 75 participating through

video conferencing, and an additional 36 participating via audio teleconferencing. A total of 36 speakers, including

technical experts, security standards leaders, and experienced managers gave presentations on various aspects of CKM

during the workshop. Two presentations were made remotely via audio teleconferencing facilities. This summary provides

the highlights of workshop presentations organized both by major CKM topics and also by presenter.

Legal


Final NISTIR 7611 8/14/2009 Use of ISO/IEC 24727

Topic Authentication; Awareness & Training; Biometrics; Cryptography; Digital Signatures; General IT Security; Personal

Identity Verification (PIV); PKI; Planning; Research

Keyword authentication; HSPD-12; identity credentials; ISO/IEC 24727; Personal Identity Verification; PIV; smart card identity

applications

Family Access Control; Awareness & Training; Identification & Authentication; Planning

Abstract This document describes the use of ISO/IEC 24727 in enabling client-applications to access identity credentials issued by

different credential issuers.




Final NISTIR 7617 10/14/2009 Mobile Forensic Reference Materials: a Methodology and Reification

Topic Communications & Wireless; Forensics; Research

Keyword computer forensics; forensic tool validation; mobile devices

Family

of 118



Abstract Final NISTIR 7617 10/14/2009 This report concerns the theoretical and practical issues with automatically populating mobile devices with reference test

data for use as reference materials in validation of forensic tools. It describes an application and data set developed to

populate identity modules and highlights subtleties involved in the process. Intriguing results attained by recent versions of

commonly-used forensic tools when used to recover the populated data are also discussed. The results indicate that

reference materials can be used to identify a variety of inaccuracies that exist in present-day forensic tools.

Legal


Final NISTIR 7620 9/1/2009 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition

Topic Cryptography

Keyword cryptographic hash algorithm; cryptographic hash function; cryptography; SHA-3

Family

Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm

through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash

algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were

submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-

Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm

competition. This report describes the evaluation criteria and selection process, based on public feedback and internal

review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving

forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH,

CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.

Legal


Final NISTIR 7621 10/1/2009 Small Business Information Security: the Fundamentals

Topic Awareness & Training; General IT Security; Planning

Keyword information security; small business

Family Access Control; Awareness & Training; Configuration Management; Contingency Planning; Identification & Authentication;

Media Protection; Personnel Security; Physical & Environmental Protection; Planning; System & Communication


of 118



Abstract Final NISTIR 7621 10/1/2009 For some small businesses, the security of their information, systems, and networks might not be a high priority, but for their customers,

employees, and trading partners it is very important. The term Small Enterprise (or Small Organization) is sometimes used for this same

category of business or organization. A small enterprise/organization may also be a nonprofit organization. The size of a small business

varies by type of business, but typically is a business or organization with up to 500 employees. In the United States, the number of

small businesses totals to over 95% of all businesses. The small business community produces around 50% of our nation s Gross

National Product (GNP) and creates around 50% of all new jobs in our country. Small businesses, therefore, are a very important part of

our nation s economy. They are a significant part of our nation s critical economic and cyber infrastructure. Larger businesses in the

United States have been actively pursuing information security with significant resources including technology, people, and budgets for

some years now. As a result, they have become a much more difficult target for hackers and cyber criminals. Consequently, the hackers

and cyber criminals are now focusing their unwanted attention on less secure small businesses. Therefore, it is important that each

small business appropriately secure their information, systems, and networks. This Interagency Report (IR) will assist small business

management to understand how to provide basic security for their information, systems, and networks.

Legal


Final NISTIR 7622 10/16/2012 Notional Supply Chain Risk Management Practices for Federal Information Systems

Topic General IT Security; Services & Acquisitions

Keyword

Family System & Services Acquisition

Abstract This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain

risk to federal information systems. It seeks to equip federal departments and agencies with a notional set of repeatable

and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an

understanding of, and visibility throughout, the supply chain.

Legal


Final NISTIR 7628 8/31/2010 Guidelines for Smart Grid Cyber Security


Keyword cyber security; privacy; security requirements; smart grid

Family

Abstract Smart Grid technologies will introduce millions of new intelligent components to the electric grid that communicate in much

more advanced ways (e.g., two-way communications, and wired and wireless communications) than in the past. This

report is for individuals and organizations who will be addressing cyber security for Smart Grid systems. The privacy

recommendations, the security requirements, and the supporting analyses that are included in this report may be used by

strategists, designers, implementers, and operators of the Smart Grid, e.g., utilities, equipment manufacturers, regulators,

as input to their risk assessment process and other tasks in the security lifecycle of a Smart Grid information system. This

report focuses on specifying an analytical framework that may be useful to an organization. It is a baseline, and each

organization must develop its own cyber security strategy for the Smart Grid. The information in this report serves as

guidance to various organizations for assessing risk and selecting appropriate security requirements and privacy

recommendations.

Legal


DRAFT NISTIR 7628 Rev. 110/25/2013 Guidelines for Smart Grid Cyber Security


of 118



Keyword DRAFT NISTIR 7628 Rev. 110/25/2013 advanced metering infrastructure; architecture; cryptography; cybersecurity; electric grid; privacy; security requirements;

smart grid

Family

Abstract This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an analytical framework that organizations

can use to develop effective cybersecurity strategies tailored to their particular combinations of Smart Grid-related

characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders—from

utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use

the methods and supporting information presented in this report as guidance for assessing risk and identifying and

applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively

closed system to a complex, highly interconnected environment. Each organization’s cybersecurity requirements should

evolve as technology advances and as threats to grid security inevitably multiply and diversify.

Legal

Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628r1




Family



publications.


Previous Year


Final NISTIR 7657 3/30/2010 A Report on the Privilege (Access) Management Workshop


Keyword access control; credential; eXtensible Access Control Markup Language; healthcare IT; Health Insurance Portability and

Accountability Act; HIPAA; identity; privilege management; RAdAC; Risk-Adaptable Access Control; XACML

Family

Abstract This document is based on the discussions and conclusions of the Privilege (Access) Management Workshop held on 1-3

September, 2009 at the Gaithersburg, Maryland facilities of the National Institute of Standards and Technology (NIST),

sponsored by NIST and the National Security Agency (NSA). This document includes additional material resulting from in

scope comments made by workshop participants and the public during the review periods for this document. An overview

of the workshop is available in the published proceedings of the workshop.

Legal


Final NISTIR 7658 2/24/2010 Guide to SIMfill Use and Development

Topic Forensics; Research

Keyword computer forensics; reference materials; tool validation

Family Incident Response

of 118



Abstract Final NISTIR 7658 2/24/2010 SIMfill is a proof-of-concept, open source, application developed by NIST to populate identity modules with test data, as a

way to assess the recovery capability of mobile forensic tools. An initial set of test data is also provided with SIMfill as a

baseline for creating other test cases. This report describes the design and organization of SIMfill in sufficient detail to

allow informed use and experimentation with the software and test data provided, including the option to modify and

extend the program and data provided to meet specific needs.

Legal


Final NISTIR 7665 1/1/2010 Proceedings of the Privilege Management Workshop, September 1-3, 2009


Keyword access control; eXtensible Access Control Markup Language; healthcare IT; Health Insurance Portability and

Accountability Act; HIPAA; privilege management; RAdAC; Risk-Adaptable Access Control; XACML

Family

Abstract Privilege management is large and complex, often the source of heated debate and opinion, and fraught with widely-

understood, yet ill-defined terminology and concepts. The National Institute of Standards and Technology (NIST) and the

National Security Agency (NSA) sponsored the first Privilege Management Workshop at NIST's main campus in

Gaithersburg, Maryland, September 1-3, 2009. The workshop was attended by approximately 120 people representing

Executive branch Federal agencies, the private sector, and academia. The primary goal of this first workshop was to

bring together a wide spectrum of individuals representing differing viewpoints, use cases, and organizational needs with

the intent to reach a common understanding of several facets of this important area. This includes reaching consensus on

the definition of privilege management and other terminology; understanding and analyzing the strengths and weaknesses

of current and proposed access control models; ascertaining the current state of the practice and future research

directions in privilege management; and understanding and articulating the managerial, legal, and policy requirements

associated with privilege management.

Legal


DRAFT NISTIR 7669 3/10/2010 Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements


Keyword conformance testing; Open Vulnerability Assessment Language; OVAL; vulernabilities

Family

Abstract describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a

defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST

National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited

laboratories and for vendors interested in receiving OVAL validation for their products.

Legal


DRAFT NISTIR 7670 2/10/2011 Proposed Open Specifications for an Enterprise Remediation Automation Framework

Topic Audit & Accountability; General IT Security; Incident Response; Services & Acquisitions

Keyword security automation; Security Content Automation Protocol; SCAP; enterprise security

Family Audit & Accountability; Configuration Management; Incident Response

of 118



Abstract DRAFT NISTIR 7670 2/10/2011 The success of SCAP in automated system assessment has fostered research related to the development of similar open

specifications in support of enterprise remediation. Enterprise remediation is focused on delivering capabilities that allow

organizations to identify, describe and implement desired system changes across the enterprise. Remediation actions can

include changes to the configuration of an operating system or application, installation of a software patch, or the

installation or removal of applications and libraries. This report examines technical use cases for enterprise remediation,

identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those

requirements.

This report is a product of ongoing collaboration between the National Institute of Standards and Technology (NIST), the

US Department of Defense, and the MITRE Corporation. Participation from a broader community of interested parties is

actively sought to help define, refine and mature proposed remediation standards.






Final NISTIR 7676 6/18/2010 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

Topic Cryptography; Personal Identity Verification (PIV); PKI; Smart Cards

Keyword key management; Personal Identity Verification; PIV; smart cards


Abstract NIST Special Publication 800-73-3 introduces the ability to store retired Key Management Keys within the Personal

Identity Verification (PIV) Card Application on a PIV Card. This paper complements SP 800-73-3 by providing some of the

rationale for the design of the mechanism for storing retired Key Management Keys on PIV Cards and by providing

suggestions to smart card vendors, PIV Card Issuers, and middleware developers on the use of the Key History

mechanism.




Final NISTIR 7692 4/7/2011 Specification for the Open Checklist Interactive Language (OCIL) Version 2.0

Topic Audit & Accountability; Certification & Accreditation (C&A); Risk Assessment; Security Automation

Keyword assessment; OCIL; Open Checklist Interactive Language; questionnaire; SCAP; security automation; Security Content

Automation Protocol; XML

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Risk Assessment

of 118



Abstract Final NISTIR 7692 4/7/2011 This report defines version 2.0 of the Open Checklist Interactive Language (OCIL). The intent of OCIL is to provide a

standardized basis for expressing questionnaires and related information, such as answers to questions and final

questionnaire results, so that the questionnaires can use a standardized, machine-readable approach to interacting with

humans and using information stored during previous data collection efforts. OCIL documents are Extensible Markup

Language (XML) based. This report defines and explains the requirements that IT products and OCIL documents

asserting conformance with the OCIL 2.0 specification must meet.




Final NISTIR 7693 6/17/2011 Specification for Asset Identification 1.1

Topic Audit & Accountability; Security Automation

Keyword asset identification; asset management; IT management

Family Audit & Accountability; Configuration Management

Abstract Asset identification plays an important role in an organization?s ability to quickly correlate different sets of information

about assets. This specification provides the necessary constructs to uniquely identify assets based on known identifiers

and/or known information about the assets. This specification describes the purpose of asset identification, a data model

for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a

number of known use cases for asset identification.




Final NISTIR 7694 6/21/2011 Specification for Asset Reporting Format 1.1


Keyword ARF; Asset Reporting Format; IT management


Abstract This specification describes the Asset Reporting Format (ARF), a data model for expressing the transport format of

information about assets and the relationships between assets and reports. The standardized data model facilitates the

reporting, correlating, and fusing of asset information throughout and between organizations. ARF is vendor and

technology neutral, flexible, and suited for a wide variety of reporting applications. The intent of ARF is to provide a

uniform foundation for the expression of reporting results, fostering more widespread application of sound IT management

practices. ARF can be used for any type of asset, not just IT assets.




Final NISTIR 7695 8/19/2011 Common Platform Enumeration: Naming Specification Version 2.3


Keyword Common Platform Enumeration; CPE; SCAP; security automation


of 118



Abstract Final NISTIR 7695 8/19/2011 This report defines the Common Platform Enumeration (CPE) Naming version 2.3 specification. The CPE Naming

specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description

and naming. The CPE Naming specification defines the logical structure of names for IT product classes and the

procedures for binding and unbinding these names to and from machine-readable encodings. This report also defines and

explains the requirements that IT products must meet for conformance with the CPE Naming version 2.3 specification.





Final NISTIR 7696 8/19/2011 Common Platform Enumeration: Name Matching Specification Version 2.3




Abstract This report defines the Common Platform Enumeration (CPE) Name Matching version 2.3 specification. The CPE Name

Matching specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product

description and naming. The CPE Name Matching specification provides a method for conducting a one-to-one

comparison of a source CPE name to a target CPE name. In addition to defining the specification, this report also defines

and explains the requirements that IT products must meet for conformance with the CPE Name Matching version 2.3

specification.





Final NISTIR 7697 8/19/2011 Common Platform Enumeration: Dictionary Specification Version 2.3




Abstract This report defines the Common Platform Enumeration (CPE) Dictionary version 2.3 specification. The CPE Dictionary

Specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description

and naming. An individual CPE dictionary is a repository of IT product names, with each name in the repository identifying

a unique class of IT product in the world. This specification defines the semantics of the CPE Dictionary data model and

the rules associated with CPE dictionary creation and management. This report also defines and explains the

requirements that IT products and services, including CPE dictionaries, must meet for conformance with the CPE

Dictionary version 2.3 specification.





of 118



Final NISTIR 7698 8/19/2011 Common Platform Enumeration: Applicability Language Specification Version 2.3




Abstract This report defines the Common Platform Enumeration (CPE) Applicability Language version 2.3 specification. The CPE

Applicability Language specification is part of a stack of CPE specifications that support a variety of use cases relating to

IT product description and naming. The CPE Applicability Language data model builds on top of other CPE specifications

to provide the functionality required to allow CPE users to construct complex groupings of CPE names to describe IT

platforms. These groupings are referred to as applicability statements because they are used to designate which platforms

particular guidance, policies, etc. apply to. This report defines the semantics of the CPE Applicability Language data

model and the requirements that IT products and CPE Applicability Language documents must meet for conformance with

the CPE Applicability Language version 2.3 specification.







Keyword annual report, computer security, Computer Security Division, CSD, cyber security, FISMA, highlights, projects

Family



publications.

Legal


DRAFT NISTIR 7756 1/6/2012 CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture



Keyword



Abstract [Second Public Draft] This publication presents an enterprise continuous monitoring technical reference architecture that

extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to

facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate

collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and

provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by

leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration

efforts.

of 118



Legal DRAFT NISTIR 7756 1/6/2012 Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;




Final NISTIR 7764 2/23/2011 Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition


Keyword cryptographic hash algorithm; cryptographic hash function; cryptographic hash competition; cryptography; SHA-3

competition


Abstract The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007 to develop

a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms currently specified in the Federal

Information Processing Standard (FIPS) 180-3, Secure Hash Standard. The competition was NIST’s response to

advances in the cryptanalysis of hash algorithms.

NIST received sixty-four submissions in October 2008, and selected fifty-one candidate algorithms as the first-round

candidates on December 10, 2008, and fourteen as the second-round candidates on July 24, 2009. One year was

allocated for the public review of the second-round candidates. On December 9, 2010, NIST announced five SHA-3

finalists to advance to the third (and final) round of the competition. This report summarizes the evaluation and selection of

the five finalists – BLAKE, Grøstl, JH, Keccak and Skein.

Legal


Final NISTIR 7771 2/28/2011 Conformance Test Architecture for Biometric Data Interchange Formats - Version Beta 2.0

Topic Biometrics; Research

Keyword binary data testing; biometrics; conformance test architecture; conformance testing; data interchange; standard

implementations; test cases

Family

Abstract The success of biometric applications is particularly dependent on the interoperability of biometric systems. Deploying

these systems requires a comprehensive portfolio of biometric standards developed in support of interoperability and data

interchange. A number of these domestic and international standards have been published and others are under

development. The existence of these standards alone is not enough to demonstrate that products meet the technical

requirements specified in the standards. Conformance testing captures the technical description of a specification and

measures whether an implementation faithfully implements the specification. The Computer Security Division of NIST/ITL

supports conformity assessment efforts through active technical participation in the development of conformance testing

methodology standards and the development of associated conformance test architectures (CTA) and test suites (CTS).

This NIST IR discusses the technological characteristics of the recently released CTA Beta 2.0. This architecture supports

CTSs such as the ones designed to test implementations of biometric data interchange data formats. The information

provided includes CTA modules communication methods, key CTA features and high-level sequence diagrams. It also

addresses an introduction to testing binary data, structure testing by groups of fields and a discussion on test cases.

Ongoing work on related tools development is also addressed.

Legal


Final NISTIR 7773 11/1/2010 An Application of Combinatorial Methods to Conformance Testing for Document Object Model Events

Topic Research

of 118



Keyword Final NISTIR 7773 11/1/2010 combinatorial testing, conformance testing, Document Object Model, DOM, interoperability testing

Family System & Information Integrity

Abstract This report describes the use of combinatorial test methods to reduce the cost of testing for the Document Object Model

Events standard while maintaining an equivalent level of assurance. More than 36,000 tests – all possible combinations of

equivalence class values –were reduced by approximately a factor of 20 with no reduction in error detection effectiveness.



Final NISTIR 7788 8/1/2011 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs

Topic Research

Keyword attack detection; attack graphs; computer networks; security risk

Family

Abstract Today’s information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with

devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of

vulnerabilities. To more accurately assess the security of enterprise systems, one must understand how vulnerabilities

can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic

attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are

propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This metric

for risk mitigation analysis is used to maximize the security of enterprise systems. This methodology based on

probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks.

Legal


Final NISTIR 7791 6/22/2011 Conformance Test Architecture and Test Suite for ANSI/NIST-ITL 1-2007

Topic Biometrics; Certification & Accreditation (C&A)

Keyword ANSI/NIST–ITL 1-2007; biometrics; conformance test architecture; conformance testing; data interchange; standard

implementations; test assertions

Family

Abstract The Computer Security Division of NIST/ITL supports the development of biometric conformance testing methodology

standards and other conformity assessment efforts through active technical participation in the development of these

standards and the associated conformance test architectures and test suites. The ANSI/NIST-ITL standard "Data Format

for the Interchange of Fingerprint, Facial & Other Biometric Information" is used by law enforcement, intelligence, military,

and homeland security organizations throughout the world. The current version specified in its Traditional Format, is Part

1: ANSI/NIST-ITL 1-2007. Although a revised and augmented version of the standard is under development, the 2007

version is still widely used. The Conformance Test Architecture and Test Suite described in this publication are designed

to test implementations of ANSI/NIST ITL 1-2007. The code (Beta 0.4) is currently designed to support testing of selected

record types of the standard but can be extended to support other record types as required. A high-level overview of the

architecture and test suite as well as software details and the code structure are provided. A quick start user guide and a

comprehensive table of the standard's requirements and the associated implemented conformance test assertions (over

five-hundred and thirty) are included.

Legal


DRAFT NISTIR 7799 1/6/2012 Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications

of 118



Topic DRAFT NISTIR 7799 1/6/2012 Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk


Keyword continuous monitoring



Abstract This publication provides the technical specifications for the continuous monitoring (CM2) reference model presented in NIST IR 7756.

These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking,

propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that

describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications

that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication

paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain

agnostic, which means that they can be used for CM regardless of the data domain that is being monitored. A companion publication,

NIST IR 7800, binds these specifications to specific data domains (e.g., asset, configuration, and vulnerability management). The

specifications provided in this document are detailed enough to enable product instrumentation and development. They are also

detailed enough to enable product testing, validation, procurement, and interoperability. Taken together, the specifications in this

document define an ecosystem where a variety of interoperable products can be composed together to form effective CM solutions. If

properly adopted, these specifications will enable teamwork, orchestration, and coordination among CM products that currently operate

distinctly. For the computer security domain, this will greatly enhance organizational effectiveness and efficiency in addressing known

vulnerabilities and technical policy requirements, and decision making.





DRAFT NISTIR 7800 1/20/2012 Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability

Management Domains



Keyword continuous monitoring; vulnerability management



Abstract This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to

specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages

the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it

dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each

of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines

the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each

data domain.





of 118



Final NISTIR 7802 9/20/2011 Trust Model for Security Automation Data 1.0 (TMSAD)

Topic Audit & Accountability; Authentication; Certification & Accreditation (C&A); Cryptography; Digital Signatures; Security

Automation

Keyword digital signatures; SCAP; security automation; Security Content Automation Protocol

Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Identification &

Authentication; System & Information Integrity

Abstract This report defines the Trust Model for Security Automation Data 1.0 (TMSAD), which permits users to establish integrity,

authentication, and traceability for security automation data. Since security automation data is primarily stored and

exchanged using Extensible Markup Language (XML) documents, the focus of the trust model is on the processing of

XML documents. The trust model is composed of recommendations on how to use existing specifications to represent

signatures, hashes, key information, and identity information in the context of an XML document within the security

automation domain.




Final NISTIR 7806 9/16/2011 ANSI/NIST-ITL 1-2011 Requirements and Conformance Test Assertions


Keyword ANSI/NIST- ITL 1-2011; biometrics; conformance testing; data interchange; requirements; standard implementations; test

assertions

Family

Abstract The current version of the ANSI/NIST-ITL standard "Data Format for the Interchange of Fingerprint, Facial & Other Biometric

Information" is specified in two parts. Part 1, ANSI/NIST-ITL 1-2007, specifies the traditional format, and Part 2, ANSI/NIST-ITL 2-2008,

specifies a NIEM-conformant XML format. Both parts have been combined into one document, which is being revised and augmented.

The Computer Security Division (CSD) of NIST/ITL has developed a set of test assertions based on the requirements specified in the

4th draft of the new ANSI/NIST-ITL standard. Over twelve hundred test assertions have been identified and organized into a set of

tables to assist in the development of a conformance test tool designed to test implementations of the new version of the ANSI/NIST-ITL

standard for selected record types. These tables were contributed to the Conformance Testing Methodology (CTM) Working Group

which was recently established by NIST/ITL to develop a CTM for the new version of the ANSI/NIST-ITL (AN-2011) standard. A ballot

was conducted on a revised draft (5th draft) of the AN-2011 standard. A new draft will be developed based on the comments received

as a result of this ballot. As the technical content of the AN-2011 draft standard evolves towards approval and publication, and

comments on the assertion tables in this document are received, revised versions of these tables will be developed until they fully

address the requirements of the approved AN-2011 standard. This publication documents the assertions developed and the terms,

operands, and operators used in defining these assertions. Brief information on previous and ongoing conformance test tools

development within NIST/ITL CSD is included.

Legal


Final NISTIR 7815 7/1/2011 Access Control for SAR Systems


Keyword ABAC; access control; law enforcement; policy; privilege management; SAR; Suspicious Activity Report; XACML

Family Access Control; System & Information Integrity

of 118



Abstract Final NISTIR 7815 7/1/2011 The Access Control for SAR Systems (ACSS) project focused on developing a prototype privilege management system

used to express and enforce policies for controlling access to Suspicious Activity Report (SAR) data within the law

enforcement domain. This report details the work conducted for the ACSS project including the design, implementation

and integration of distributed software components for rendering policy decisions, storing subject and resource data, and

facilitating web-based retrieval of SAR records.

Legal




Keyword Federal Information Security Management Act; FISMA, Computer Security Division; CSD; Information Security

Family

Abstract Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002,


year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a component

of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects information

systems against threats to the confidentiality, integrity, and availability of information and services. During Fiscal Year

2011 (FY 2011), CSD successfully responded to numerous challenges and opportunities in fulfilling that mission. Through

CSD's diverse research agenda and engagement in many national priority initiatives, high-quality, cost-effective security

and privacy mechanisms were developed and applied that improved information security across the federal government

and the greater information security community. This annual report highlights the research agenda and activities in which

CSD was engaged during FY 2011.

Legal


Final NISTIR 7817 11/7/2012 A Credential Reliability and Revocation Model for Federated Identities

Topic Authentication; Cryptography; General IT Security; Personal Identity Verification (PIV); PKI; Smart Cards

Keyword authentication; assertion; identity management; identity management system (IDMS); information; security; credential;

identity attributes

Family Access Control; Audit & Accountability; Planning

Abstract A large number of Identity Management Systems (IDMSs) are being deployed worldwide that use different technologies

for the population of their users. With the diverse set of technologies, and the unique business requirements for

organizations to federate, there is no uniform approach to the federation process. Similarly, there is no uniform method to

revoke credentials or their associated attribute(s) in a federated community. In the absence of a uniform revocation

method, this document seeks to investigate credential and attribute revocation with a particular focus on identifying

missing requirements. This document first introduces and analyzes the different types of digital credentials and

recommends missing revocation-related requirements for each model in a federated environment. As a second goal, and

as a by-product of the analysis and recommendations, this paper suggests a credential reliability and revocation service

that serves to eliminate the missing requirements.




of 118



DRAFT NISTIR 7823 6/10/2012 Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework

Topic Cyber-Physical Systems & Smart Grid; Maintenance

Keyword conformance testing; electric grid; smart grid; smart meters

Family Maintenance

Abstract Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware

upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The voluntary conformance test

requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA)

Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware

upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft

NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s

conformance with the NEMA standard.



DRAFT NISTIR 7831 12/6/2011 Common Remediation Enumeration (CRE) Version 1.0


Assessment

Keyword



Abstract NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of

enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities.

Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This

specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries

are created, and defines the technical requirements for constructing CRE entries.





DRAFT NISTIR 7848 5/7/2012 Specification for the Asset Summary Reporting Format 1.0



Keyword asset reporting; Asset Summary Reporting Format (ASR); continuous monitoring; information

technology; security automation; Security Content Automation Protocol (SCAP), security metrics



of 118



Abstract DRAFT NISTIR 7848 5/7/2012 NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data

exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to

report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to

reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and

leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.





Final NISTIR 7849 3/5/2014 A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification

Topic Authentication; Cryptography; Personal Identity Verification (PIV); PKI; Smart Cards

Keyword card issuer; cardholder trait (biometric); person identifier; smart identity token; token secret


Abstract Smart cards (smart identity tokens) are now being extensively deployed for identity verification for controlling access to Information

Technology (IT) resources as well as physical resources. Depending upon the sensitivity of the resources and the risk of wrong

identification, different authentication use cases are being deployed. Assignment of authentication strength for each of the use cases is

often based on: (a) the total number of three common orthogonal authentication factors – What You Know, What You Have and What

You are, and (b) the entropy associated with each factor chosen. The objective of this paper is to analyze the limitation of this approach

and present a methodology for assigning authentication strengths based on the strength of pair wise bindings between the five entities

involved in smart card based authentications – the card (token), the token secret, the card holder, the card issuer, and the person

identifier stored in the card. The rationale for the methodology is based on the following three observations: (a) The form factor of the

smart identity token introduces some threats of misuse; (b) the common set of credentials objects provisioned to a smart card embody

bindings to address those threats and (c) the strength of an authentication use case should therefore be based on the number and type

of binding verifications that are performed in the constituent authentication mechanisms.The use of the methodology for developing an

authentication assurance level taxonomy for two real world smart identity token deployments is also illustrated.




DRAFT NISTIR 7863 12/13/2013 Cardholder Authentication for the PIV Digital Signature Key

Topic Personal Identity Verification (PIV)

Keyword personal identification number; personal identity verification; PIN caching; PIV

Family

Abstract FIPS 201-2 requires explicit user action by the Personal Identity Verification (PIV) cardholder as a condition for use of the

digital signature key stored on the card. This document clarifies the requirement for explicit user action to encourage the

development of compliant applications and middleware that use the digital signature key.

Legal


of 118



Final NISTIR 7864 7/10/2012 The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

Topic General IT Security; Risk Assessment

Keyword security measurement; trust misuse; vulnerability measurement; vulnerability scoring

Family Configuration Management; Risk Assessment

Abstract The Common Misuse Scoring System (CMSS) is a set of measures of the severity of software feature misuse

vulnerabilities. A software feature is a functional capability provided by software. A software feature misuse vulnerability is

a vulnerability in which the feature also provides an avenue to compromise the security of a system. Such vulnerabilities

are present when the trust assumptions made when designing software features can be abused in ways that violate

security. Misuse vulnerabilities allow attackers to use for malicious purposes the functionality that was intended to be

beneficial. CMSS can provide measurement data to assist organizations in making sound decisions on addressing

software feature misuse vulnerabilities and in conducting quantitative assessments of the overall security posture of a

system. This report defines proposed measures for CMSS and equations to be used to combine the measures into

severity scores for each vulnerability. The report also provides examples of how CMSS measures and scores would be

determined for selected software feature misuse vulnerabilities.

Legal


Final NISTIR 7870 7/12/2012 NIST Test Personal Identity Verification (PIV) Cards

Topic Certification & Accreditation (C&A); Personal Identity Verification (PIV); Smart Cards

Keyword Personal Identity Verification; PIV; smart card; FIPS 201

Family

Abstract In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV)

Card, NIST has developed a set of test PIV Cards and a supporting public key infrastructure. This set of test cards

includes not only examples that are similar to cards that are currently issued today, but also examples of cards with

features that are expected to appear in cards that will be issued in the future. This document provides an overview of the

test cards and the infrastructure that has been developed to support their use.

Legal


Final NISTIR 7874 9/14/2012 Guidelines for Access Control System Evaluation Metrics

Topic

Keyword Access Control, Authorization, Policy, Computer Security

Family

Abstract The purpose of this document is to provide Federal agencies with background information on access control (AC)

properties, and to help access control experts improve their evaluation of the highest security AC systems. This document

discusses the administration, enforcement, performance, and support properties of AC mechanisms that are embedded in

each AC system. (Even though this document covers most of the essential AC properties, the listed properties are not

necessarily complete.) This document extends the information in NIST IR 7316, Assessment of Access Control Systems

[NISTIR 7316], which demonstrates the fundamental concepts of policy, models, and mechanisms of AC systems.

Legal

of 118



Link Final NISTIR 7874 9/14/2012 http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7874

Final NISTIR 7877 9/14/2012 BioCTS 2012:

Advanced Conformance Test Architectures and Test Suites for Biometric Data Interchange Formats and Biometric

Information Records


Keyword ANSI/NIST-ITL 1-2011; biometric, Biometric Information Records; biometrics; CBEFF; conformance testing; conformance

test architecture; data interchange formats ; encoding, NIEM-compliant; encoding, traditional; standards, ISO/IEC 19794;

standard implementations; test assertions; testing methodology

Family

Abstract The Computer Security Division of NIST/ITL supports the development of biometric conformance testing methodology standards and

other conformity assessment efforts through active technical participation in the development of these standards and the associated

conformance test architectures and test suites. BioCTS 2012 is biometric conformance test software designed to test implementations

for conformance to various biometric data interchange format standards. BioCTS 2012 for ANSI/NIST-ITL 1-2011 tests implementations

of NIST SP 500-290 ANSI/NIST ITL 1-2011 (AN-2011) "Data Format for the Interchange of Fingerprint, Facial & Other Biometric

Information" using test assertions documented in NIST SP 500-295, "Conformance Testing Methodology for ANSI/NIST-ITL 1-2011,

Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information (Release 1.0)." BioCTS 2012 for ISO/IEC tests

implementations of biometric data interchange formats developed by Subcommittee 37 -- Biometrics of the Joint Technical Committee 1 -

- Information Technology of ISO and IEC. Support for testing Biometric Information Records (BIRs) conforming to instantiations of the

Common Biometric Exchange Formats Framework (CBEFF) specified in national and international standards is also provided. BioCTS

2012 for ANSI/NIST-ITL 1-2011 is currently designed to support testing of implementations that include any of the Record Types

defined in AN-2011, but conformance testing is only performed for the selected Record Types (1, 4, 10, 13, 14, 15, and 17). Plans exist

to extend the test tool to support additional Record Types. Information regarding BioCTS 2012 testing architectures, code structure, and

other software design details is provided.

Legal


Final NISTIR 7878 10/26/2012 Combinatorial Coverage Measurement

Topic Research

Keyword combinatorial testing; factor covering array; state-space coverage; verification and

validation (V&V); t-way testing; configuration model; component interaction failure

Family

Abstract Combinatorial testing applies factor covering arrays to test all t-way combinations of input or configuration state space. In

some testing situations, it is not practical to use covering arrays, but any set of tests covers at least some portion of t-way

combinations up to t [less than or equal to] n. This report describes measures of combinatorial coverage that can be used

in evaluating the degree of t-way coverage of any test suite, regardless of whether it was initially constructed for

combinatorial coverage.

Legal


Final NISTIR 7896 11/15/2012 Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition

Topic Cryptography

Keyword Cryptographic hash algorithm; Cryptographic hash function; Cryptography;

Cryptographic hash competition; SHA-3 competition.

Family

of 118



Abstract Final NISTIR 7896 11/15/2012 The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007, to develop

a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms specified in the Federal Information

Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS). The competition was NIST’s response to advances in

the cryptanalysis of hash algorithms.

NIST received sixty-four submissions in October 2008, and selected fifty-one first-round candidates on December 10,

2008; fourteen second-round candidates on July 24, 2009; and five third-round candidates – BLAKE, Grøstl, JH, Keccak

and Skein, on December 9, 2010, to advance to the final round of the competition. Eighteen months were provided for the

public review of the finalists, and on October 2, 2012, NIST announced the winning algorithm of the SHA-3 competition –

Keccak. This report summarizes the evaluation of the five finalists and the selection of the SHA-3 winner.

Legal


DRAFT NISTIR 7904 12/21/2012 Trusted Geolocation in the Cloud: Proof of Concept Implementation

Topic Cloud Computing & Virtualization; Research

Keyword cloud computing; geolocation; Infrastructure as a Service (IaaS); virtualization

Family Access Control; Audit & Accountability; Configuration Management; System & Communication Protection; System &


Abstract This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing

technologies and geolocation. It then describes a proof of concept implementation that was designed to address those

challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can

reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security

community to validate and implement the described proof of concept implementation.




Final NISTIR 7916 2/1/2013 Proceedings of the Cybersecurity in Cyber-Physical Systems Workshop, April 23-24, 2012

Topic Conferences & Workshops; Cyber-Physical Systems & Smart Grid

Keyword CPS; cyber-physical systems; cybersecurity; networked automotive vehicles; networked medical devices;

semi-conductor manufacturing

Family

Abstract Proceedings of the Cybersecurity in Cyber-Physical Workshop, April 23 – 24, 2012, complete with abstracts and slides

from presenters. Some of the cyber-physical systems covered during the first day of the workshop included networked

automotive vehicles, networked medical devices, semi-conductor manufacturing, and cyber-physical testbeds. Day two of

the workshop covered the electric smart grid. Dr. Farnham Jahanian, NSF, was the keynote speaker on day one.

Legal


DRAFT NISTIR 7924 4/22/2013 Reference Certificate Policy

Topic Cryptography; PKI

of 118



Keyword DRAFT NISTIR 7924 4/22/2013 certificate authority; certificate policy; digital certificate; public key infrastructure

Family

Abstract The purpose of this document is to identify a baseline set of security controls and practices to support the secure issuance

of certificates. This baseline was developed with publicly-trusted Certificate Authorities (CAs) in mind. These CAs, who

issue the certificates used to secure websites and sign software, play a particularly important role online. This document

formatted as a Reference Certificate Policy (CP). We expect different applications and relying party communities will tailor

this document based on their specific needs. It was structured and developed so that the CP developer can fill in sections

specific to organizational needs and quickly produce a suitable CP. This Reference CP is consistent with the Internet

Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) Certificate Policy and Certification Practices

Framework.

Legal


Final NISTIR 7933 5/1/2013 Requirements and Conformance Test Assertions for ANSI/NIST-ITL 1-2011 Record Type 18 - DNA Record

Topic Biometrics; Forensics

Keyword ANSI/NIST-ITL 1-2011; biometrics; conformance testing; conformance test architecture; CTA; CTS; BioCTS; conformance

test suite; data interchange; DNA data; Record Type 18; test assertions; testing methodology

Family

Abstract The Computer Security Division (CSD) of NIST/ITL develops conformance test architectures (CTAs) and test suites

(CTSs) to support users that require conformance to selected biometric standards. Product developers as well as testing

laboratories can also benefit from the use of these tools. This project supports the possible establishment of conformity

assessment programs for biometrics and also supports NIST/ITL’s Forensic Science Program by making conformance

testing tools available that provide developers, users, and purchasers with increased levels of confidence in product

quality and increases the probability of successful interoperability of biometrics and forensic data. One of the test tools is a

CTA/CTS designed to test implementations of ANSI/NIST-ITL 1-2011 (AN-2011) “Data Format for the Interchange of

Fingerprint, Facial & Other Biometric Information” for selected Record Types based on twelve hundred test assertions

previously developed. As part of the process associated with the extension of the first version of BioCTS for AN-2011,

NIST/ITL/CSD’s staff identified over two-hundred test assertions necessary to meet the conformance requirements for the

AN-2011 Record Type 18- DNA Record. These test assertions are documented using the format specified in NIST Special

Publication 500-295, “Conformance Testing Methodology for ANSI/NIST-ITL 1-2011, Data Format for the Interchange of

Fingerprint, Facial & Other Biometric Information (Release 1.0)”.

Legal


Final NISTIR 7946 4/28/2014 CVSS Implementation Guidance

Topic General IT Security; Security Automation; Viruses & Malware

Keyword Common Vulnerability Scoring System Version 2.0; CVSS v2.0; National Vulnerability Database; NVD; security metrics;

vulnerabilities; vulnerability scoring


of 118



Abstract Final NISTIR 7946 4/28/2014 This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability

Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS

specification to score over 50,000 vulnerabilities analyzed by the National Vulnerability Database (NVD). An overview of

the CVSS base metrics is first presented followed by guidance for difficult and/or unique scoring situations. To assist

vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular

types of software vulnerabilities. The report includes a collection of scored IT vulnerabilities from the NVD, alongside a

justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.

Legal


Final NISTIR 7956 9/18/2013 Cryptographic Key Management Issues & Challenges in Cloud Services

Topic Cloud Computing & Virtualization; Cryptography; PKI

Keyword authentication; cloud services; data protection; encryption; key management system (KMS); Secure Shell (SSH);

Transport Layer Security (TLS)

Family

Abstract To interact with various services in the cloud and to store the data generated/processed by those services, several

security capabilities are required. Based on a core set of features in the three common cloud services - Infrastructure as a

Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), we identify a set of security capabilities

needed to exercise those features and the cryptographic operations they entail. An analysis of the common state of

practice of the cryptographic operations that provide those security capabilities reveals that the management of

cryptographic keys takes on an additional complexity in cloud environments compared to enterprise IT environments due

to: (a) difference in ownership (between cloud Consumers and cloud Providers) and (b) control of infrastructures on which

both the Key Management System (KMS) and protected resources are located. This document identifies the cryptographic

key management challenges in the context of architectural solutions that are commonly deployed to perform those

cryptographic operations.

Legal


DRAFT NISTIR 7977 2/18/2014 NIST Cryptographic Standards and Guidelines Development Process

Topic Cryptography

Keyword cryptographic guidelines; cryptographic standards

Family

Abstract This document describes the principles, processes and procedures that drive our cryptographic standards development

efforts. This draft document will be revised based on the feedback received during the public comment period, and the

revised publication will serve as basis for NIST’s future standards development efforts. It will also serve as the basis for

the review of NIST’s existing body of cryptographic standards and guidelines.

Legal


DRAFT NISTIR 7981 3/7/2014 Mobile, PIV, and Authentication

Topic

of 118



Keyword DRAFT NISTIR 7981 3/7/2014 Derived PIV Credential; electronic authentication; microSD; mobile device; PIV Card; smart phone; tablet; UICC; USB

Family

Abstract The purpose of this document is to analyze various current and near-term options for remote electronic authentication

from mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of

mobile devices, such as smart phones and tablets.

Legal


of 118

Nist csd publications_20140428

Technology

Transcript of Nist csd publications_20140428