Nist csd publications_20140428
-
Upload
james-de-rienzo -
Category
Technology
-
view
334 -
download
0
description
Transcript of Nist csd publications_20140428
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final SP 800-12 10/1/1995 An Introduction to Computer Security: the NIST Handbook
Topic General IT Security
Keyword Computer security; guidance; IT security; security controls
Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System &
Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract This handbook provides assistance in securing computer-based resources (including hardware, software, and information)
by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits
of security controls, the major techniques or approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their computer security needs
and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps
necessary to implement a computer security program, provide detailed implementation procedures for security controls, or
give guidance for auditing the security of specific systems.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-12
Final SP 800-13 10/1/1995 Telecommunications Security Guidelines for Telecommunications Management Network
Topic Communications & Wireless
Keyword Telecommunications security; security baseline; security requirements
Family Contingency Planning; Risk Assessment
Abstract This Telecommunication Security Guideline is intended to provide a security baseline for Network Elements (NEs) and
Mediation Devices (MDs) that is based on commercial security needs. In addition, some National Security and Emergency
Preparedness (NS/EP) security requirements will be integrated into the baseline to address specific network security
needs.
The guideline should assist telecommunications vendors in developing systems and service providers in implementing
systems with appropriate security for integration into the Public Switched Network (PSN). It can also be used by a
government agency or a commercial organization to formulate a specific security policy. It does not stipulate regulatory
requirements or mandated standards of the National Institute of Standards and Technology.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-13
Final SP 800-14 9/1/1996 Generally Accepted Principles and Practices for Securing Information Technology Systems
Topic General IT Security
Keyword IT security; security baseline; security practices; security principles
Page 1 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final SP 800-14 9/1/1996 Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System &
Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract As more organizations share information electronically, a common understanding of what is needed and expected in
securing information technology (IT) resources is required. This document provides a baseline that organizations can use
to establish and review their IT security programs. The document gives a foundation that organizations can reference
when conducting multi-organizational business as well as internal business. Management, internal auditors, users, system
developers, and security practioners can use the guideline to gain an understanding of the basic security requirements
most IT systems should contain. The foundation begins with generally accepted system security principles and continues
with common practices that are used in securing IT systems.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-14
Final SP 800-15 1/1/1998 MISPC Minimum Interoperability Specification for PKI Components, Version 1
Topic Cryptography; Digital Signatures; PKI; Services & Acquisitions
Keyword Certificate; certificate revocation list; certification authority (CA); CRL; public key infrastructure (PKI); registration authority;
repository; X.509
Family System & Communication Protection
Abstract The Minimum Interoperability Specification for PKI Components (MISPC) supports interoperability for a large scale public key
infrastructure (PKI) that issues, revokes and manages X.509 version 3 digital signature public key certificates and version 2 certificate
revocation lists (CRLs). To the extent possible, this document adopts data formats and transaction sets defined in existing and evolving
standards, such as ITU X.509 and the IETF's Internet Public Key Infrastructure Using X.509 Certificates (PKIX) series. In this
specification a PKI is broken into five components: certification authorities (CAs) that issue and revoke certificates; organizational
registration authorities (ORAs) that vouch for the binding between public keys and certificate holder identities and other attributes;
certificate holders that are issued certificates and can sign digital documents; clients that validate digital signatures and their certification
paths from a known public key of a trusted CA; and repositories that store and make available certificates and CRLs.The MISPC
supports both hierarchical and network trust models. In hierarchical models, trust is delegated by a CA when it certifies a subordinate
CA. Trust delegation starts at a root CA that is trusted by every node in the infrastructure. IN network models, trust is established
between any two CAs. The MISPC specifies the use of X.509 v3 extensions in certificates to explicitly manage trust relationships.This
specification consists primarily of a profile of certificate and CRL extensions and a set of transactions. The transactions include:
certification requests, certificate renewal, certificate revocation, and retrieval of certificates and CRLs from repositories.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-15-Version%201
DRAFT SP 800-16 Rev. 13/14/2014 A Role-Based Model for Federal Information Technology/Cybersecurity Training
Topic Audit & Accountability; Awareness & Training
Keyword Cybersecurity; information assurance; learning continuum; role-based training; security; security awareness; security
controls; security literacy
Family Awareness & Training; Program Management
Page 2 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract DRAFT SP 800-16 Rev. 13/14/2014 Meeting security responsibilities and providing for the confidentiality, integrity, and availability of information in today's highly networked
environment can be a difficult task. Each individual that owns, uses, relies on, or manages information and information technology (IT)
systems must fully understand their specific security responsibilities. This includes ownership of the information and the role individuals
have in protecting information. Information that requires protection includes information they own, information provided to them as part
of their work and information they may come into contact with.
This document describes information technology/cybersecurity role-based training for the Federal Departments and Agencies and
Organizations (Federal Organizations) and contractor support in these roles. Its primary focus is to provide a comprehensive, yet
flexible, training methodology for the development of training courses or modules for personnel who have been identified as having
significant information technology/cybersecurity responsibilities. This document is intended to be used by Federal information
technology/cybersecurity training personnel and their contractors to assist in designing role-based training courses or modules for
Federal Organizations personnel and contractors who have been identified as having significant responsibilities for information
technology/cybersecurity. This publication should also be read, reviewed, or understood at a fairly high level by several audiences
including the Organizational Heads through the leadership chain to the individual. Some of the titles include, but not limited to, the IT
Managers, Senior Agency Information Security Officer (SAISO), Certified Information Systems Security Officer (CISSO), Information
Systems Security Officer (ISSO), Information Assurance Manager (IAM), and Program Manager (PM).
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Conduct Security Awareness Training
Link http://csrc.nist.gov/publications/PubsSPs.html#800-16-rev1
Final SP 800-16 4/1/1998 Information Technology Security Training Requirements: a Role- and Performance-Based Model
Topic Audit & Accountability; Awareness & Training
Keyword Awareness; behavioral objectives; education; individual accountability; job function; management and technical controls;
rules of behavior; training
Family Awareness & Training; Program Management
Abstract This document supersedes NIST SP 500-172, Computer Security Training Guidelines, published in 1989. The new
document supports the Computer Security Act (Public Law 100-235) and OMB Circular A-130 Appendix III requirements
that NIST develop and issue computer security training guidance. This publication presents a new conceptual framework
for providing information technology (IT) security training. This framework includes the IT security training requirements
appropriate for today's distributed computing environment and provides flexibility for extension to accommodate future
technologies and the related risk management decisions.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Conduct Security Awareness Training
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-16
Final SP 800-17 2/1/1998 Modes of Operation Validation System (MOVS): Requirements and Procedures
Topic Authentication; Cryptography
Keyword Automated testing; computer security; cryptographic algorithms; cryptography; Data Encryption Standard (DES); Federal
Information Processing Standard (FIPS); NVLAP; Skipjack algorithm; secret key cryptography; validation.
Family Certification, Accreditation & Security Assessments; System & Communication Protection
Page 3 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-17 2/1/1998 The National Institute of Standards and Technology (NIST) Modes of Operation Validation System (MOVS) specifies the
procedures involved in validating implementations of the DES algorithm in FIPS PUB 46-2 The Data Encryption Standard
(DES) and the Skipjack algorithm in FIPS PUB 185, Escrowed Encryption Standard (ESS). The MOVS is designed to
perform automated testing on Implementations Under Test (IUTs). This publication provides brief overviews of the DES
and Skipjack algorithms and introduces the basic design and configuration of the MOVS. Included in this overview are the
specifications for the two categories of tests which make up the MOVS, i.e., the Known Answer tests and the Modes tests.
The requirements and administrative procedures to be followed by those seeking formal NIST validation of an
implementation of the DES or Skipjack algorithm are presented. The requirements described include the specific protocols
for communication between the IUT and the MOVS, the types of tests which the IUT must pass for formal NIST validation,
and general instructions for accessing and interfacing with the MOVS. An appendix with tables of values and results for
the DES and Skipjack Known Answer tests is also provided.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-17
Final SP 800-18 Rev. 12/1/2006 Guide for Developing Security Plans for Federal Information Systems
Topic Audit & Accountability; Certification & Accreditation (C&A); Planning
Keyword Authorize processing; computer security; general support system; major application; management controls; operational
controls; rules of behavior; security plan; technical controls
Family Certification, Accreditation & Security Assessments; Planning
Abstract The objective of system security planning is to improve protection of information system resources. All federal systems have some level
of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system
security plan. The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130,
Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, and Title III of the
E-Government Act, entitled the Federal Information Security Management Act (FISMA), The purpose of the system security plan is to
provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those
requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.
The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security
protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information
owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the
basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document
are adequately covered and readily identifiable.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-18-Rev.1
Final SP 800-19 10/1/1999 Mobile Agent Security
Topic Planning; Risk Assessment; Viruses & Malware
Keyword Computer security; mobile agent security
Page 4 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final SP 800-19 10/1/1999 Access Control; Audit & Accountability; Planning; Risk Assessment; System & Communication Protection; System &
Information Integrity
Abstract Mobile agent technology offers a new computing paradigm in which a
program, in the form of a software agent, can suspend its execution on a host computer, transfer itself to another agent-
enabled host on the network, and resume execution on the new host. The use of mobile code has a long history dating
back to the use of remote job entry systems in the 1960's. Today's agent incarnations can be characterized in a number of
ways ranging from simple distributed objects to highly organized software with embedded intelligence. As the
sophistication of mobile software has increased over time, so too have the associated threats to security. This report
provides an overview of the range of threats facing the designers of agent platforms and the developers of agent-based
applications. The report also identifies generic security objectives, and a range of measures for countering the identified
threats and fulfilling these security objectives.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-19
Final SP 800-20 3/1/2012 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
Topic Cryptography
Keyword Automated testing; computer security; cryptographic algorithms; cryptography; Triple Data Encryption Algorithm (TDEA);
Triple Data Encryption Standard (TDES); Federal Information Processing Standard (FIPS); NVLAP; secret key
cryptography; validation.
Family Certification, Accreditation & Security Assessments; System & Communication Protection
Abstract The National Institute of Standards and Technology (NIST) Modes of Operation Validation System for the Triple Data
Encryption Algorithm (TMOVS) specifies the procedures involved in validating implementations of the Triple DES
algorithm in ANSI X9.52 - 1998, Triple Data Encryption Algorithm Modes of Operation. Successful completion of the tests
contained within the TMOVS is required to claim conformance to ANSI X9.52-1998.The TMOVS is designed to perform
automated testing on Implementations Under Test (IUTs). This publication provides a brief overview of the Triple DES
algorithm and introduces the basic design and configuration of the TMOVS. Included in this overview are the
specifications for the two categories of tests which make up the TMOVS, i.e., the Known Answer tests and the Modes
tests. The requirements and administrative procedures to be followed by those seeking formal NIST validation of an
implementation of the Triple DES algorithm are presented. The requirements described include the specific protocols for
communication between the IUT and the TMOVS, the types of tests which the IUT must pass for format NIST validation,
and general instruction for accessing and interfacing the TMOVS. An appendix with tables of values and results for the
TDES Known Answer tests is also provided.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-20
Final SP 800-21 Second edition12/1/2005 Guideline for Implementing Cryptography in the Federal Government
Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Planning; Risk Assessment;
Services & Acquisitions
Keyword Cryptographic algorithm; cryptographic hash function; cryptographic key; cryptographic module; digital signature; key
establishment; key management; message authentication code
Family Contingency Planning; Incident Response; Planning; System & Communication Protection; System & Services Acquisition
Page 5 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-21 Second edition12/1/2005 This Second Edition of NIST Special Publication (SP) 800-21, updates and replaces the November 1999 edition of Guideline for
Implementing Cryptography in the Federal Government. Many of the references and cryptographic techniques contained in the first
edition of NIST SP 800-21 have been amended, rescinded, or superseded since its publication. The current publication offers new tools
and techniques. NIST SP 800-21 is intended to provide a structured, yet flexible set of guidelines for selecting, specifying, employing,
and evaluating cryptographic protection mechanisms in Federal information systems?and thus, makes a significant contribution toward
satisfying the security requirements of the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. The
current publication also reflects the elimination of the waiver process by the Federal Information Security Management Act (FISMA) of
2002.
SP 800-21 includes background information, describes the advantages of using cryptography; defines the role and use of standards
and describes standards organizations that are outside the Federal government; describes the methods that are available for symmetric
and asymmetric key cryptography; describes implementation issues (e.g., key management); discusses assessments, including the
Cryptographic Module Validation Program (CMVP), the Common Criteria (CC), and Certification and Accreditation (C&A); and describes
the process of choosing the types of cryptography to be used and selecting a cryptographic method or methods to fulfill a specific
requirement.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-21-2nd%20edition
Final SP 800-22 Rev. 1a4/1/2010 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
Topic Cryptography
Keyword Random number generator; hypothesis test; P-value
Family Certification, Accreditation & Security Assessments; System & Communication Protection
Abstract This paper discusses some aspects of selecting and testing random and pseudorandom number generators. The outputs
of such generators may be used in many cryptographic applications, such as the generation of key material. Generators
suitable for use in cryptographic applications may need to meet stronger requirements than for other applications. In
particular, their outputs must be unpredictable in the absence of knowledge of the inputs. Some criteria for characterizing
and selecting appropriate generators are discussed in this document. The subject of statistical testing and its relation to
cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may be useful as a
first step in determining whether or not a generator is suitable for a particular cryptographic application. However, no set of
statistical tests can absolutely certify a generator as appropriate for usage in a particular application, i.e., statistical testing
cannot serve as a substitute for cryptanalysis. The design and cryptanalysis of generators is outside the scope of this
paper.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-22-Rev.%201a
Final SP 800-23 8/1/2000 Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
Topic Certification & Accreditation (C&A); Risk Assessment
Keyword Assurance; computer security; evaluation; information assurance; IT security; security testing
Family Certification, Accreditation & Security Assessments; Risk Assessment; System & Services Acquisition
Page 6 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-23 8/1/2000 Computer security assurance provides a basis for one to have confidence that security measures, both technical and
operational, work as intended. Use of products with an appropriate degree of assurance contributes to security and
assurance of the system as a whole and thus should be an important factor in IT procurement decisions. Two Government
programs are of particular interest -- the National Information Assurance Partnership (NIAP)'s Common Criteria Evaluation
and Validation Program and NIST's Cryptographic Module Validation Program (CMVP). The NIAP program focuses on
evaluations of products (e.g., a firewall or operating system) against a set of security specifications. The CMVP program
focuses on security conformance testing of a cryptographic module against Federal Information Processing Standard 140-
1, Security Requirements for Cryptographic Modules and related federal cryptographic algorithm standards.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-23
Final SP 800-24 4/1/2001 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
Topic Communications & Wireless; Maintenance
Keyword Computer security; PBX; private branch exchange; telecommunications security
Family Access Control; Contingency Planning; Identification & Authentication; Maintenance; Media Protection; Physical &
Environmental Protection; Risk Assessment
Abstract This report presents a generic methodology for conducting an analysis of a Private Branch Exchange (PBX) in order to
identify security vulnerabilities. The report focuses on digital-based PBXs and addresses the following areas for study:
System Architecture; Hardware; Maintenance; Administrative Database/Software; and User Features. The methods
described in this report are designed to assist administrators in conducting this type of testing. Computer based telephony
systems and new techniques such as voice over IP (VOIP) present an entirely new collection of vulnerabilities and are not
addressed in this report. However, some of the evaluation methods described here may be applied to these systems as
well.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-24
Final SP 800-25 10/1/2000 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
Topic Authentication; Cryptography; Digital Signatures; PKI; Planning; Services & Acquisitions
Keyword Federal bridge CA; Government Paperwork Elimination Act; GPEA; guidance; PKI; public key infrastructure
Family Contingency Planning; Identification & Authentication; Planning; Risk Assessment; System & Communication Protection
Page 7 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-25 10/1/2000 This guidance document was developed by the Federal Public Key Infrastructure Steering Committee to assist Federal
agencies that are considering the use of public key technology for digital signatures or authentication over open networks
such as the Internet. This includes communications with other Federal or non-Federal entities, such as members of the
public, private firms, citizen groups, and state and local governments. Most public key technology applications for digital
signatures provide for user authentication as well. However, public key technology can be used for user authentication
only without digital signatures. Standards such as X.509 provide for that functionality.This document encourages the
thoughtful use of public key technology by Federal agencies as set forth in guidance published by the Office of
Management and Budget implementing the Government Paperwork Elimination Act (GPEA). It also amplifies upon
principles contained in the GPEA guidance and separately in Access with Trust issued in September 1998 by the Office of
Management and Budget, the National Partnership for Reinventing Government, and the Government Information
Technology Services Board. Finally, it discusses briefly the government-wide Public Key Infrastructure (PKI) which is
developing to enable applications programs to effectively use public key technology across Federal agencies.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-25
Final SP 800-27 Rev. A6/1/2004 Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A
Topic General IT Security; Planning
Keyword Computer security; engineering principles; IT security; security baseline
Family Planning; System & Services Acquisition
Abstract The Engineering Principles for Information Technology (IT) Security (EP-ITS) presents a list of system-level security
principles to be considered in the design, development, and operation of an information system. This document is to be
used by IT security stakeholders and the principles introduced can be applied to general support systems and major
applications. EP-ITS presents principles that apply to all systems, not ones tied to specific technology areas. These
principles provide a foundation upon which a more consistent and structured approach to the design, development, and
implementation of IT security capabilities can be constructed. While the primary focus of these principles remains on the
implementation of technical countermeasures, these principles highlight the fact that, to be effective, a system security
design should also consider non-technical issues, such as policy, operational procedures, and user education.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-27-Rev.%20A
Final SP 800-28 Version 23/1/2008 Guidelines on Active Content and Mobile Code
Topic Risk Assessment; Viruses & Malware
Keyword Active content; email security; malware; mobile code; Web security
Family Access Control; Risk Assessment; System & Communication Protection; System & Information Integrity
Page 8 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-28 Version 23/1/2008 Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation,
to execute when the document is rendered. Like any technology, active content can be used to deliver essential services,
but it can also become a source of vulnerability for exploitation by an attacker. The purpose of this document is to provide
an overview of active content and mobile code technologies in use today and offer insights for making informed IT security
decisions on their application and treatment. The discussion gives details about the threats, technology risks, and
safeguards for end user systems, such as desktops and laptops. Although various end user applications, such as email
clients, can involve active content, Web browsers remain the primary vehicle for delivery and are underscored in the
discussion. The tenets presented for Web browsers apply equally well to other end user applications and can be inferred
directly.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-28-Version%202
Final SP 800-29 6/1/2001 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
Topic Cryptography
Keyword Cryptographic modules; cryptography; cryptography security requirements; FIPS PUB 140-1; FIPS PUB 140-2
Family System & Communication Protection
Abstract Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in
critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in
these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and
identification and authentication. A documented methodology for conformance testing through a defined set of security
requirements in FIPS 140-1 and FIPS 140-2 and other cryptographic standards is specified in the Derived Test
Requirements.FIPS 140-1 is one of NIST's most successful standards and forms the very foundation of the Cryptographic
Module Validation Program. FIPS 140-2 addresses lessons learned from questions and comments and reflects changes
in technology. The standard was strengthened, but not changed in focus or emphasis. Also, the standard was minimally
restructured to: standardize the language and terminology to add clarity and consistency; remove redundant and
extraneous information to make the standard more concise; and revise or remove vague requirements. Finally, a new
section was added detailing new types of attacks on cryptographic modules that currently do not have specific testing
available. This differences paper summarizes the changes from FIPS 140-1 to FIPS 140-2 and documents the detailed
requirements.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-29
Final SP 800-30 Rev. 19/1/2012 Guide for Conducting Risk Assessments
Topic Audit & Accountability; Certification & Accreditation (C&A); Planning; Risk Assessment
Keyword Cost-benefit analysis; residual risk; risk; risk assessment; risk management; risk mitigation; security controls; threat
vulnerability
Family Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment; System &
Services Acquisition
Abstract The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information
systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all
three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior
leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.
Page 9 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-30 Rev. 19/1/2012 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-30-Rev.%201
Final SP 800-32 2/26/2001 Introduction to Public Key Technology and the Federal PKI Infrastructure
Topic Authentication; Cryptography; Digital Signatures; PKI; Planning
Keyword Certificates; digital signatures; PKI; public key infrastructure
Family Identification & Authentication; Planning; Risk Assessment; System & Communication Protection
Abstract This publication was developed to assist agency decision-makers in determining if a PKI is appropriate for their agency,
and how PKI services can be deployed most effectively within a Federal agency. It is intended to provide an overview of
PKI functions and their applications. Additional documentation will be required to fully analyze the costs and benefits of
PKI systems for agency use, and to develop plans for their implementation. This document provides a starting point and
references to more comprehensive publications.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-32
Final SP 800-33 12/1/2001 Underlying Technical Models for Information Technology Security
Topic General IT Security; Planning
Keyword Computer security; information technology security; IT security; technical models
Family Planning; System & Services Acquisition
Abstract Underlying Technical Models for Information Technology Security provides a description of the technical foundations,
termed models, that underlie secure information technology (IT). The intent is to provide, in a concise form, the models
that should be considered in the design and development of technical security capabilities. These models encompass
lessons learned, good practices, and specific technical considerations.The intended audience consists of both
government and private sectors including: IT users desiring a better understanding of system security; engineers and
architects designing/building security capabilities; and those developing guidance for others to use in implementing
security capabilities.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-33
Final SP 800-34 Rev. 111/11/2010 Contingency Planning Guide for Federal Information Systems
Topic Certification & Accreditation (C&A); Contingency Planning
Keyword Contingency Planning; Resilience; Information System Contingency Plan; Incident Response Plan; Disaster Recovery
Plan
Family Contingency Planning; Maintenance; Planning; Risk Assessment; System & Services Acquisition
Abstract This publication assists organizations in understanding the purpose, process, and format of information system
contingency planning development through practical, real-world guidelines. This guidance document provides background
information on interrelationships between information system contingency planning and other types of security and
emergency management-related contingency plans, organizational resiliency, and the system development life cycle. This
document provides guidance to help personnel evaluate information systems and operations to determine contingency
planning requirements and priorities.
Page 10 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-34 Rev. 111/11/2010 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Develop Contingency Plans & Procedures
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-34-Rev.%201
Final SP 800-35 10/1/2003 Guide to Information Technology Security Services
Topic Planning; Services & Acquisitions
Keyword Computer security; information security; life cycle; outsourcing business case; security service; service level agreement;
service provider; total cost of ownership
Family Certification, Accreditation & Security Assessments; Configuration Management; System & Services Acquisition
Abstract Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to
maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from
security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by
a growing group of vendors. It is difficult and challenging to determine service provider capabilities, measure service
reliability and navigate the many complexities involved in security service agreements.This guide provides assistance with
the selection, implementation, and management of IT security services by guiding organizations through the various
phases of the IT security services life cycle. This life cycle provides a framework that enables the IT security decision
makers to organize their IT security effortsfrom initiation to closeout. The factors to be considered when selecting,
implementing, and managing IT security services include: the type of service arrangement; service provider qualifications,
operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and
the service provider's capability to deliver adequate protection for the organization systems, applications, and information.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-35
Final SP 800-36 10/1/2003 Guide to Selecting Information Technology Security Products
Topic Planning; Services & Acquisitions
Keyword Computer security; enterprise architecture; life cycle; products; security controls
Family Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Incident Response;
Media Protection; Risk Assessment; System & Communication Protection; System & Information Integrity; System &
Services Acquisition
Abstract The selection of IT security products is an integral part of the design, development and maintenance of an IT security
infrastructure that ensures confidentiality, integrity, and availability of mission critical information. The guide seeks to
assist in choosing IT security products that meet an organization's requirements. It should be used with other NIST
publications to develop a comprehensive approach to meeting an organization's computer security and information
assurance requirements. This guide defines broad security product categories, specifies product types within those
categories, and then provides a list of characteristics and pertinent questions an organization should ask when selecting a
product from within these categories.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-36
Final SP 800-37 Rev. 12/1/2010 Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach
Topic Audit & Accountability; Certification & Accreditation (C&A); Planning; Risk Assessment
Page 11 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final SP 800-37 Rev. 12/1/2010 Risk management framework; categorize; security controls; information systems; common controls; roles and
responsibilities; security authorization; continuous monitoring; FISMA
Family Certification, Accreditation & Security Assessments; Configuration Management; Planning; Program Management; Risk
Assessment
Abstract The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal
information systems to include conducting the activities of security categorization, security control selection and
implementation, security control assessment, information system authorization, and security control monitoring.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Certify & Accredit Systems
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-37-Rev.%201
Final SP 800-38A 12/1/2001 Recommendation for Block Cipher Modes of Operation: Methods and Techniques
Topic Authentication; Cryptography
Keyword Computer security; cryptography; data security; block cipher; encryption;
mode of operation.
Family System & Communication Protection
Abstract This recommendation defines five confidentiality modes of operation for use with an underlying symmetric key block
cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback
(OFB), and Counter (CTR). Used with an underlying block cipher algorithm that is approved in a Federal Information
Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer
data.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-A
800-38A Addendum10/1/2010 Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
Topic Authentication; Cryptography
Keyword Block cipher; ciphertext stealing; cryptography; encryption; mode of operation
Family System & Communication Protection
Abstract A limitation to Cipher Block Chaining (CBC) mode, as specified in NIST Special Publication 800-38A, is that the plaintext
input must consist of a sequence of blocks. Ciphertext stealing is a padding method in which the required padding bits are
"stolen" from the penultimate ciphertext block. This addendum to SP 800-38A specifies three variants of CBC mode with
ciphertext stealing. These variants, which differ only in the ordering of the ciphertext bits, can encrypt any input whose bit
length is greater than or equal to the block size. Unlike conventional padding methods, these variants do not expand the
length of the data.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-A%20-%20Addendum
Final SP 800-38B 5/1/2005 Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication
Topic Authentication; Cryptography
Page 12 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final SP 800-38B 5/1/2005 Authentication; block cipher; cryptography; information security; integrity;
message authentication code; mode of operation.
Family System & Communication Protection
Abstract This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher.
This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence,
the integrity of binary data.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-B
Final SP 800-38C 7/20/2007 Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
Topic Authentication; Cryptography
Keyword Authenticated encryption; authentication; block cipher; confidentiality; cryptography; encryption; information security;
message authentication code; mode of operation
Family System & Communication Protection
Abstract This Recommendation defines a mode of operation, called Counter with Cipher Block Chaining-Message Authentication
Code (CCM), for a symmetric key block cipher algorithm. CCM may be used to provide assurance of the confidentiality
and the authenticity of computer data by combining the techniques of the Counter (CTR) mode and the Cipher Block
Chaining-Message Authentication Code (CBC-MAC) algorithm.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-C
Final SP 800-38D 11/1/2007 Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
Topic Authentication; Cryptography
Keyword Authenticated encryption; authentication; block cipher; confidentiality; cryptography; encryption; information security;
mode of operation.
Family System & Communication Protection
Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with
associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not
encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-D
Final SP 800-38E 1/1/2010 Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices
Topic Authentication; Cryptography
Keyword Block cipher; ciphertext stealing; computer security; confidentiality; cryptography; encryption; information security mode of
operation; tweakable block cipher.
Family System & Communication Protection
Abstract This publication approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one
additional requirement, as an option for protecting the confidentiality of data on storage devices. The mode does not
provide authentication of the data or its source.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-E
Final SP 800-38F 12/21/2012 Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
Topic Authentication; Cryptography
Page 13 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final SP 800-38F 12/21/2012 authenticated encryption; authentication; block cipher; computer security; confidentiality; cryptography; encryption;
information security; key wrapping; mode of operation
Family System & Communication Protection
Abstract This publication describes cryptographic methods that are approved for “key wrapping,” i.e., the protection of the
confidentiality and integrity of cryptographic keys. In addition to describing existing methods, this publication specifies two
new, deterministic authenticated-encryption modes of operation of the Advanced Encryption Standard (AES) algorithm:
the AES Key Wrap (KW) mode and the AES Key Wrap With Padding (KWP) mode. An analogous mode with the Triple
Data Encryption Algorithm (TDEA) as the underlying block cipher, called TKW, is also specified, to support legacy
applications.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-F
DRAFT SP 800-38G 7/8/2013 Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
Topic Authentication; Cryptography
Keyword block cipher; computer security; confidentiality; cryptography; encryption; Feistel structure; format-preserving encryption;
information security; mode of operation
Family System & Communication Protection
Abstract This Recommendation specifies three methods for format-preserving encryption, called FF1, FF2, and FF3. Each of these
methods is a mode of operation of the AES algorithm, which is used to construct a round function within the Feistel
structure for encryption.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-G
Final SP 800-39 3/1/2011 Managing Information Security Risk: Organization, Mission, and Information System View
Topic Planning; Risk Assessment
Keyword Risk management; security; risk assessment; roles; responsibilities; organization; mission; information system; enterprise
risk management; continuous monitoring; joint task force transformation initiative
Family Program Management
Abstract The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for
managing information security risk to organizational operations (i.e., mission, functions, image, and reputation),
organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal
information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing information
security risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on
an ongoing basis provided by other supporting NIST security standards and guidelines. The guidance provided in this
publication is not intended to replace or subsume other risk-related activities, programs, processes, or approaches that
organizations have implemented or intend to implement addressing areas of risk management covered by other
legislation, directives, policies, programmatic initiatives, or mission/business requirements. Rather, the information
security risk management guidance described herein is complementary to and can be used as part of a more
comprehensive Enterprise Risk Management (ERM) program.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Page 14 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Link Final SP 800-39 3/1/2011 http://csrc.nist.gov/publications/PubsSPs.html#SP-800-39
Final SP 800-40 Rev. 37/22/2013 Guide to Enterprise Patch Management Technologies
Topic Maintenance; Planning; Risk Assessment
Keyword information security; patch management; remediation; software patches; vulnerability management
Family Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Information Integrity
Abstract Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems.
This publication is designed to assist organizations in understanding the basics of enterprise patch management
technologies. It explains the importance of patch management and examines the challenges inherent in performing patch
management. It provides an overview of enterprise patch management technologies and it also briefly discusses metrics
for measuring the technologies’ effectiveness. Draft NIST SP 800-40 Revision 3 replaces the previous release (version 2),
which was published in 2005.
Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-40-Rev.%203
800-40 Version 2.011/1/2005 Creating a Patch and Vulnerability Management Program
Topic Maintenance; Planning; Risk Assessment; Viruses & Malware
Keyword Computer security; security patches; vulnerability management
Family Awareness & Training; Configuration Management; Planning; Risk Assessment
Abstract This document provides guidance on creating a security patch and vulnerability management program and testing the
effectiveness of that program. The primary audience is security managers who are responsible for designing and
implementing the program. However, this document also contains information useful to system administrators and
operations personnel who are responsible for applying patches and deploying solutions (i.e., information related to testing
patches and enterprise patching software).
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-40-Version%202.0
Final SP 800-41 Rev. 19/1/2009 Guidelines on Firewalls and Firewall Policy
Topic Audit & Accountability; Communications & Wireless; Planning
Keyword Firewall policy; firewalls; host-based firewalls; network firewalls; network security; packet filtering; perimeter security;
personal firewalls; proxies
Family Access Control; Audit & Accountability; Planning; System & Communication Protection
Abstract Firewalls are devices or programs that control the flow of network traffic between networks or hosts employing differing
security postures. This publication provides an overview of several types of firewall technologies and discusses their
security capabilities and their relative advantages and disadvantages in detail. It also makes recommendations for
establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions.
Legal Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-41-Rev.%201
Page 15 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final SP 800-43 11/1/2002 Systems Administration Guidance for Securing Windows 2000 Professional System
Topic Maintenance; Planning
Keyword E-mail client; hardening; lock-down; Microsoft Windows 2000; operating system; patches; security; virus; web-browser
Family Access Control; Configuration Management; Contingency Planning; System & Information Integrity
Abstract The document is intended to assist the users and system administrators of Windows 2000 Professional systems in configuring their
hosts by providing configuration templates and security checklists. The guide provides detailed information about the security features of
Win2K Pro, security configuration guidelines for popular applications, and security configuration guidelines for the Win2K Pro operating
system. The guide documents the methods that the system administrators can use to implement each security setting recommended.
The principal goal of the document is to recommend and explain tested, secure settings for Win2K Pro workstations with the objective of
simplifying the administrative burden of improving the security of Win2K Pro systems. This guidance document also includes
recommendations for testing and configuring common Windows applications. The application types include electronic mail (e-mail)
clients, Web browsers, productivity applications, and antivirus scanners. This list is not intended to be a complete list of applications to
install on Windows 2000 Professional, nor does it imply NIST's endorsement of particular commercial off-the-shelf (COTS) products.
Many of the configuration recommendations for the tested Windows applications focus on deterring viruses, worms, Trojan horses, and
other types of malicious code. The guide presents recommendations to protect the Windows 2000 Professional system from malicious
code when the tested applications are being used.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-43
Final SP 800-44 Version 29/1/2007 Guidelines on Securing Public Web Servers
Topic General IT Security; Planning
Keyword Web server; Web server security
Family Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication; Planning;
System & Communication Protection
Abstract Web servers are often the most targeted and attacked hosts on organizations' networks. As a result, it is essential to
secure Web servers and the network infrastructure that supports them. This document is intended to assist organizations
in installing, configuring, and maintaining secure public Web servers. Practices described in detail include choosing Web
server software and platforms, securing the underlying operating system and Web server software, deploying appropriate
network protection mechanisms, and using, publicizing, and protecting information in a careful and systematic manner.
The publication also provides recommendations for maintaining secure configurations through patching and upgrades,
security testing, log monitoring, and backups of data and operating system files.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-44-Version%202
Final SP 800-45 Version 22/1/2007 Guidelines on Electronic Mail Security
Page 16 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Topic Final SP 800-45 Version 22/1/2007 Communications & Wireless
Keyword E-mail; electronic mail; FISMA
Family Access Control; Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication;
Planning; Risk Assessment; System & Communication Protection; System & Information Integrity
Abstract This document was developed in furtherance of NIST's statutory responsibilities under the Federal Information Security
Management Act (FISMA) of 2002, Public Law 107-347. The purpose of the publication is to recommend security
practices for designing, implementing, and operating email systems on public and private networks. It contains information
on popular email encryption standards and other standards relating to email. It presents general information on securing
mail servers' operating systems and specific guidance on securing mail server applications, protecting messages
traversing servers, and securing access to mailboxes. It also provides information regarding email client security and mail
server administration.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-45-Version%202
Final SP 800-46 Rev. 16/1/2009 Guide to Enterprise Telework and Remote Access Security
Topic Authentication; Communications & Wireless; Contingency Planning; General IT Security; Viruses & Malware
Keyword Mobile device security; remote access; remote access security; telework; telework security; virtual private networking
Family Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Media Protection; Risk
Assessment; System & Communication Protection; System & Information Integrity
Abstract Many organizations employees and contractors use enterprise telework technologies to perform work from external
locations. Most teleworkers use remote access technologies to interface with an organization's non-public computing
resources. The nature of telework and remote access technologies permitting access to protected resources from external
networks and often external hosts as well generally places them at higher risk than similar technologies only accessed
from inside the organization, as well as increasing the risk to the internal resources made available to teleworkers through
remote access. This publication provides information on security considerations for several types of remote access
solutions, and it makes recommendations for securing a variety of telework and remote access technologies. It also gives
advice on creating telework security policies.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Develop Contingency Plans & Procedures
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-46-Rev.%201
Final SP 800-47 8/1/2002 Security Guide for Interconnecting Information Technology Systems
Topic Certification & Accreditation (C&A); General IT Security; Planning; Risk Assessment
Keyword Information systems security; interconnecting systems; IT security; system development life cycle
Family Certification, Accreditation & Security Assessments
Page 17 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-47 8/1/2002 The Security Guide for Interconnecting Information Technology Systems provides guidance for planning, establishing, maintaining, and
terminating interconnections between information technology (IT) systems that are owned and operated by different organizations. They
are consistent with the requirements specified in the Office of Management and Budget (OMB) Circular A-130, Appendix III, for system
interconnection and information sharing. A system interconnection is defined as the direct connection of two or more IT systems for the
purpose of sharing data and other information resources. The document describes benefits of interconnecting IT systems, defines the
basic components of an interconnection, identifies methods and levels of interconnectivity, and discusses potential security risks.
The document then presents a "life-cycle" approach for system interconnections, with an emphasis on security. Four phases are
addressed: a) Planning the interconnection: the organizations perform preliminary activities; examine technical, security, and
administrative issues; and form an agreement governing the management, operation, and use of the interconnection; b) Establishing
the interconnection: the organizations develop and execute a plan for establishing the interconnection, including implementing or
configuring security controls; c) Maintaining the interconnection: the organizations maintain the interconnection after it is established to
ensure that it operates properly and securely; and d) Disconnecting the interconnection: one or both organizations may terminate the
interconnection. The termination should be conducted in a planned manner to avoid disrupting the other party's system. In an
emergency, however, one or both organizations may choose to terminate the interconnection immediately.
The document provides recommended steps for completing each phase, emphasizing security measures to protect the systems and
shared data. The document also contains guides and samples for developing an Interconnection Security Agreement (ISA) and a
Memorandum of Understanding/Agreement (MOU/A). The ISA specifies technical and security requirements of the interconnection; the
MOU/A defines the responsibilities of the organizations. Finally, the document contains a guide for developing an Implementation Plan
to establish the interconnection.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-47
Final SP 800-48 Rev. 17/1/2008 Guide to Securing Legacy IEEE 802.11 Wireless Networks
Topic Authentication; Communications & Wireless; General IT Security; Planning; Services & Acquisitions
Keyword IEEE 802.11; network security; wireless local area network; wireless networking
Family Access Control; Configuration Management; Identification & Authentication; Planning; System & Communication
Protection; System & Information Integrity; System & Services Acquisition
Abstract The purpose of this document is to provide guidance to organizations in securing their legacy Institute of Electrical and
Electronics Engineers (IEEE) 802.11 wireless local area networks (WLAN) that cannot use IEEE 802.11i. The document
provides an overview of legacy IEEE 802.11 WLAN standards, components, and architectural models. It discusses the
basics of WLAN security and examines the security capabilities provided by legacy IEEE 802.11 standards. The
document also discusses threats and vulnerabilities involving legacy IEEE 802.11 WLANs, explains common
countermeasures, and makes recommendations for their use.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-48-Rev.%201
Final SP 800-49 11/1/2002 Federal S/MIME V3 Client Profile
Topic Cryptography; Digital Signatures
Keyword Federal IT profile; interoperability of secure electronic mail; S/MIME profile; secure e-mail standards
Family Audit & Accountability; System & Communication Protection
Page 18 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-49 11/1/2002 The National Institute of Standards and Technology (NIST), Information Technology Laboratory, Computer Security
Division, has developed this S/MIME (Secure / Multipurpose Internet Mail Extensions) client profile as guidance in the
development and procurement of commercial-off-the-shelf (COTS) S/MIME-compliant products. This profile document
identifies requirements for a secure and interoperable S/MIME V3 client implementation. NIST is developing tests and
testing tools to determine the level of conformance of an S/MIME V3 client implementation with this profile.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-49
Final SP 800-50 10/1/2003 Building an Information Technology Security Awareness and Training Program
Topic Audit & Accountability; Awareness & Training
Keyword Awareness; certification; design; develop; education; implement; maintain; metrics; training
Family Awareness & Training; Contingency Planning; Incident Response
Abstract NIST Special Publication 800-50, Building An Information Technology Security Awareness and Training Program,
provides guidance for building an effective information technology (IT) security program and supports requirements
specified in the Federal Information Security Management Act (FISMA) of 2002 and the Office of Management and
Budget (OMB) Circular A-130, Appendix III.The document identifies the four critical steps in the life cycle of an IT security
awareness and training program: 1) awareness and training program design (Section 3); 2) awareness and training
material development (Section 4); 3) program implementation (Section 5); and 4) post-implementation (Section 6).The
document is a companion publication to NIST Special Publication 800-16, Information Technology Security Training
Requirements: A Role- and Performance-Based Model. The two publications are complementary - SP 800-50 works at a
higher strategic level, discussing how to build an IT security awareness and training program, while SP 800-16 is at a
lower tactical level, describing an approach to role-based IT security training.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Conduct Security Awareness Training
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-50
Final SP 800-51 Rev. 12/1/2011 Guide to Using Vulnerability Naming Schemes
Topic Audit & Accountability; General IT Security; Incident Response; Services & Acquisitions
Keyword Common Configuration Enumeration (CCE); Common Vulnerabilities and Exposures (CVE); security automation; security
configuration; Security Content Automation Protocol (SCAP); vulnerability naming; vulnerabilities
Family Audit & Accountability; Configuration Management; Incident Response; Risk Assessment; System & Services Acquisition
Abstract This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and
Exposures (CVE) and Common Configuration Enumeration (CCE). SP 800-51 Revision 1 gives an introduction to both
naming schemes and makes recommendations for end-user organizations on using their names. The publication also
presents recommendations for software and service vendors on how they should use vulnerability names and naming
schemes in their product and service offerings.
Page 19 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-51 Rev. 12/1/2011 Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-51-Rev.%201
Final SP 800-52 Rev. 14/28/2014 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
Topic Communications & Wireless; Cryptography; General IT Security; PKI
Keyword information security; network security; SSL; TLS; Transport Layer Security
Family System & Communication Protection
Abstract Transport Layer Security (TLS) provides mechanisms to protect sensitive data during electronic dissemination across the
Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations
while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic
algorithms, and requires that TLS 1.1 configured with FIPS-based cipher suites as the minimum appropriate secure
transport protocol and recommends that agencies develop migration plans to TLS 1.2 by January 1, 2015. This Special
Publication also identifies TLS extensions for which mandatory support must be provided and other recommended
extensions.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#800-52
Final SP 800-53 Rev. 35/1/2010 Recommended Security Controls for Federal Information Systems and Organizations
Topic Audit & Accountability; Authentication; Awareness & Training; Certification & Accreditation (C&A); Communications &
Wireless; Contingency Planning; Cryptography; General IT Security; Incident Response; Maintenance; Planning; Risk
Assessment; Services & Acquisitions; Viruses & Malware
Keyword Security controls; risk management framework; security control assurance; security requirements; common controls;
security control baselines; managing risk; FISMA
Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System &
Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract The objective of NIST SP 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security
requirements levied on information systems and organizations and that is consistent with and complementary to other
established information security standards. Revision 3 is the first major update since December 2005 and includes
significant improvements to the security control catalog.
Page 20 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-53 Rev. 35/1/2010 E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-53-Rev.%203
800-53 Rev. 41/15/2014 Security and Privacy Controls for Federal Information Systems and Organizations
Topic Audit & Accountability; Authentication; Awareness & Training; Certification & Accreditation (C&A); Communications &
Wireless; Contingency Planning; Cryptography; General IT Security; Incident Response; Maintenance; Planning; Risk
Assessment; Services & Acquisitions; Viruses & Malware
Keyword assurance; computer security; FIPS Publication 199; FIPS Publication 200; FISMA; Privacy Act; Risk Management
Framework; security controls; security requirements
Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System &
Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for
selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets,
individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural
failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as
part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security
and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies,
directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of
controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the
catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms
provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security
functionality and assurance helps to ensure that information technology component products and the information systems built from
those products using sound system and security engineering principles are sufficiently trustworthy.
Page 21 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-53 Rev. 41/15/2014 E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-53-Rev.%204
Final SP 800-53A Rev. 16/1/2010 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security
Assessment Plans
Topic Audit & Accountability; Certification & Accreditation (C&A)
Keyword FISMA; security controls; risk management; categorization; security assessment plans; assurance requirements;
attributes; 800-53
Family Certification, Accreditation & Security Assessments; Program Management; Risk Assessment
Abstract Special Publication 800-53A, Revision 1 provides guidelines for developing security assessment plans and associated security control
assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal
Information Systems and Organizations, August 2009 (including updates as of 05-01-2010). NIST has been working in partnership with
the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security
Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The updated
security assessment guideline incorporates best practices in information security from the United States Department of Defense,
Intelligence Community, and Civil agencies and includes security control assessment procedures for both national security and non
national security systems. The guideline for developing security assessment plans is intended to support a wide variety of assessment
activities in all phases of the system development life cycle including development, implementation, and operation. The important
changes described in Special Publication 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near
real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely
affect organizational operations and assets, individuals, other organizations, and the Nation. The increased flexibility in the selection of
assessment methods, assessment objects, and depth and coverage attribute values empowers organizations to place the appropriate
emphasis on the assessment process at every stage in the system development life cycle.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-53-A%20Rev.%201
Final SP 800-54 7/1/2007 Border Gateway Protocol Security
Topic Communications & Wireless; Planning
Keyword BGP; Border Gateway Protocol; computer security; routers
Family Configuration Management; Planning; System & Communication Protection
Page 22 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-54 7/1/2007 This document introduces the Border Gateway Protocol (BGP), explains its importance to the internet, and provides a set
of best practices that can help in protecting BGP. Best practices described here are intended to be implementable on
nearly all currently available BGP routers. While a number of enhanced protocols for BGP have been proposed, these
generally require substantial changes to the protocol and may not interoperate with current BGP implementations. To
improve the security of BGP routers, the recommendations listed below are introduced. While the recommendations can
contribute to greatly improved BGP security, they are not a complete defense against all threats. Security administrators
and decision makers should select and apply these methods based on their unique needs.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-54
Final SP 800-55 Rev. 17/1/2008 Performance Measurement Guide for Information Security
Topic Audit & Accountability; Certification & Accreditation (C&A); Maintenance; Planning
Keyword Information Security; Metrics; Measures; Security Controls; Performance; Reports
Family Certification, Accreditation & Security Assessments; Maintenance; Planning; Program Management
Abstract This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place
security controls, policies, and procedures. It provides an approach to help management decide where to invest in
additional security protection resources or identify and evaluate nonproductive controls. It explains the metric
development and implementation process and how it can also be used to adequately justify security control investments.
The results of an effective metric program can provide useful data for directing the allocation of information security
resources and should simplify the preparation of performance-related reports.
Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-55-Rev.%201
Final SP 800-56A Rev. 25/15/2013 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
Topic Cryptography
Keyword Diffie-Hellman; elliptic curve cryptography; finite field cryptography; key-agreement; key-confirmation; key derivation; key
establishment; key-transport; MQV
Family System & Communication Protection
Page 23 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-56A Rev. 25/15/2013 This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields
and elliptic curves, including several variations of Diffie-Hellman and Menezes-Qu-Vanstone(MQV) key establishment
schemes.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-A%20Rev.%202
DRAFT SP 800-56B Rev. 13/12/2014 Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography
Topic Cryptography
Keyword assurances; integer factorization cryptography; key agreement; key confirmation; key derivation; key-establishment; key
management; key recovery; key-transport
Family System & Communication Protection
Abstract This Recommendation specifies key-establishment schemes using integer factorization cryptography, based on ANS
X9.44, Key-establishment using Integer Factorization Cryptography [ANS X9.44], which was developed by the Accredited
Standards Committee (ASC) X9, Inc.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-B%20Rev.%201
Final SP 800-56B 8/1/2009 Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography
Topic Cryptography
Keyword Assurances; integer factorization cryptography; key agreement; key confirmation; key derivation; key establishment; key
management; key recovery; key transport.
Family System & Communication Protection
Abstract This Recommendation specifies key establishment schemes using integer factorization cryptography, based on ANS
X9.44, Key Establishment using Integer Factorization Cryptography, which was developed by the Accredited Standards
Committee (ASC) X9, Inc.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-B
Final SP 800-56C 11/1/2011 Recommendation for Key Derivation through Extraction-then-Expansion
Topic Cryptography
Keyword Key derivation; extraction; expansion
Family System & Communication Protection
Abstract This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a
key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-
expansion procedure.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-C
Final SP 800-57 Part 1 Rev. 37/1/2012 Recommendation for Key Management, Part 1: General (Revision 3)
Topic Authentication; Cryptography; Digital Signatures; PKI; Planning
Keyword Assurances; authentication; authorization; availability; backup; compromise; confidentiality; cryptanalysis; cryptographic
key; cryptographic module; digital signature; hash function; key agreement; key management; key management policy;
key recovery; key transport; originator usage period; private key; public key; recipient usage period; secret key; split
knowledge; trust anchor.
Family Access Control; Audit & Accountability; Contingency Planning; Media Protection; Planning; System & Communication
Protection; System & Information Integrity
Page 24 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-57 Part 1 Rev. 37/1/2012 This Recommendation provides cryptographic key management guidance. It consists of three
parts. Part 1 provides general guidance and best practices for the management of cryptographic
keying material. Part 2 provides guidance on policy and security planning requirements for U.S.
government agencies. Finally, Part 3 provides guidance when using the cryptographic features of
current systems.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-57-Part%201
Final SP 800-57 Part 28/1/2005 Recommendation for Key Management, Part 2: Best Practices for Key Management Organization
Topic Authentication; Cryptography; Digital Signatures; PKI; Planning
Keyword Accreditation; certification; cryptographic key; digital signature; key management; key management policy; public key;
public key infrastructure; security plan
Family Access Control; Audit & Accountability; Contingency Planning; Media Protection; Planning; System & Communication
Protection; System & Information Integrity
Abstract This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides
general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on
policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the
cryptographic features of current systems.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-57-Part%202
Final SP 800-57 Part 312/1/2009 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
Topic Authentication; Cryptography; Digital Signatures; PKI; Planning
Keyword Accreditation; assurances; authentication; authorization; availability; backup; certification; compromise; confidentiality;
cryptanalysis; cryptographic key; cryptographic module; digital signature; key management; key management policy; key
recovery; private key; public key; public key infrastructure; security plan; trust anchor; validation
Family Access Control; Audit & Accountability; Contingency Planning; Media Protection; Planning; System & Communication
Protection; System & Information Integrity
Abstract This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides
general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on
policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the
cryptographic features of current systems.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-57-Part%203
Final SP 800-58 1/1/2005 Security Considerations for Voice Over IP Systems
Topic Communications & Wireless; Services & Acquisitions
Keyword Telecommunications security; Voice Over Internet Protocol; VOIP; vulnerabilities
Family Access Control; Physical & Environmental Protection; Planning; System & Communication Protection
Page 25 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-58 1/1/2005 Voice over Internet Protocol (VOIP) refers to the transmission of speech across data-style networks. This form of
transmission is conceptually superior to conventional circuit switched communication in many ways. However, a plethora
of security issues are associated with still-evolving VOIP technology. This publication introduces VOIP, its security
challenges, and potential countermeasures for VOIP vulnerabilities.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-58
Final SP 800-59 8/1/2003 Guideline for Identifying an Information System as a National Security System
Topic Certification & Accreditation (C&A)
Keyword Computer security; national security systems
Family Risk Assessment
Abstract This document provides guidelines developed in conjunction with the Department of Defense, including the National Security Agency,
for identifying an information system as a national security system. The basis for these guidelines is the Federal Information Security
Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide requirements for
information security, superseding the Government Information Security Reform Act and the Computer Security Act. In addition to
defining the term national security system FISMA amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide
guidelines for identifying an information system as a national security system. As stated in the House Committee report, "This guidance
is not to govern such systems, but rather to ensure that agencies receive consistent guidance on the identification of systems that
should be governed by national security system requirements" (Report of the Committee on Government Reform, U. S House of
Representatives, Report 107-787, November 14, 2002, p. 85). Accordingly, the purpose of these guidelines is not to establish
requirements for national security systems, but rather to assist agencies in determining which, if any, of their systems are national
security systems as defined by FISMA and are to be governed by applicable requirements for such systems, issued in accordance with
law and as directed by the President. The guideline includes definitions of relevant terms, the legal or administrative basis for the
definitions, a checklist to be used in determining whether or not a system is a national security system, and guidelines for completion of
the checklist.
Legal Federal Information Security Management Act of 2002 (FISMA)/Identification of an Information System as a National
Security System;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-59
Final SP 800-60 Rev. 18/1/2008 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories; Volume II:
Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
Topic Certification & Accreditation (C&A); Risk Assessment
Keyword Computer security; cyber security; FISMA; categorization; information type; security category
Family Program Management; Risk Assessment
Abstract Title III of the E-Government Act, titled the Federal Information Security Management Act (FISMA) of 2002, tasked NIST
to develop (1) standards to be used by all Federal agencies to categorize information and information systems collected or
maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security
according to a range of risk levels; and (2) guidelines recommending the types of information and information systems to
be included in each such category. Special Publication 800-60 was issued in response to the second of these tasks. The
revision to Volume I contains the basic guidelines for mapping types of information and information systems to security
categories. The appendices contained in Volume I include security categorization recommendations and rationale for
mission-based and management and support information types.
Page 26 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-60 Rev. 18/1/2008 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-60-Rev.%201
Final SP 800-61 Rev. 28/1/2012 Computer Security Incident Handling Guide
Topic Incident Response; Maintenance; Risk Assessment; Viruses & Malware
Keyword Computer security incident; incident handling; incident response; threats; vulnerabilities
Family Incident Response; System & Information Integrity
Abstract Computer security incident response has become an important component of information technology (IT) programs.
Because performing incident response effectively is a complex undertaking, establishing a successful incident response
capability requires substantial planning and resources. This publication assists organizations in establishing computer
security incident response capabilities and handling incidents efficiently and effectively. This publication provides
guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response
to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems,
protocols, or applications.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-61-Rev.%202
Final SP 800-63-2 8/29/2013 Electronic Authentication Guideline
Topic Authentication; Cryptography; PKI
Keyword authentication; authentication assurance; credential service provider; electronic
authentication; electronic credentials; identity proofing; passwords; PKI; tokens
Family Identification & Authentication
Abstract This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not
intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote
authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems
over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing,
registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes
NIST SP 800-63-1.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63--2
Final SP 800-64 Rev. 210/1/2008 Security Considerations in the System Development Life Cycle
Topic General IT Security
Keyword Computer Security; Cyber Security; FISMA; SDLC; System Development
Family Planning; System & Services Acquisition
Page 27 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-64 Rev. 210/1/2008 The purpose of this guideline is to assist agencies in building security into their IT development processes. This should
result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses
on the information security components of the System Development Life Cycle (SDLC). Overall system implementation
and development is considered outside the scope of this document. Also considered outside scope is an organization’s
information system governance process.
First, the guideline describes the key security roles and responsibilities that are needed in development of most
information systems. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with
the SDLC process to understand the relationship between information security and the SDLC.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-64-Rev.%202
DRAFT SP 800-65 Rev. 17/14/2009 Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process
Topic Planning; Services & Acquisitions
Keyword
Family Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment; System &
Services Acquisition
Abstract SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing
guidance on selecting, managing, and evaluating information security investments and accounting for information security
in all IT investments.
Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-65-Rev.%201
Final SP 800-65 1/1/2005 Integrating IT Security into the Capital Planning and Investment Control Process
Topic Services & Acquisitions
Keyword Capital planning and investment control; CPIC; FISMA; IT security investments
Family Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment; System &
Services Acquisition
Abstract Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have
been performed independently by security and capital planning practitioners. However, the Federal Information Security
Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two
activities. In addition, with increased competition for limited federal budgets and resources, agencies must ensure that
available funding is applied towards the agencies' highest priority IT security investments. Applying funding towards high-
priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-
wide and system level, commensurate with levels of risk and data sensitivity. This special publication introduces common
criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual
FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective
manner.
Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-65
Page 28 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final SP 800-66 Rev. 110/1/2008 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)
Security Rule
Topic Awareness & Training; Services & Acquisitions
Keyword Information Security; Healthcare; HIPAA; security Rule
Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Contingency Planning; Identification & Authentication; Incident Response; Media Protection; Personnel Security; Physical
& Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information
Integrity; System & Services Acquisition
Abstract Special Publication 800-66 Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Probability and
Accountability Act (HIPAA) Security Rule, which discusses security considerations and resources that may provide value
when implementing the requirements of the HIPAA Seucurity Rule, was written to help educate readers about information
security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards
set out itn the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA
Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule.
This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.
Legal Health Insurance Portability and Accountability Act (HIPAA)/Standardize Electronic Data Interchange in Health Care
Transactions
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-66-Rev.%201
Final SP 800-67 Rev. 11/1/2012 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
Topic Cryptography
Keyword Block cipher; computer security; cryptography; data encryption algorithm; security; triple data encryption algorithm
Family System & Communication Protection
Abstract This publication specifies the Triple Data Encryption Algorithm (TDEA), including its primary component cryptographic
engine, the Data Encryption Algorithm (DEA). When implemented in an SP 800-38-series-compliant mode of operation
and in a FIPS 140-2-compliant cryptographic module, TDEA may be used by Federal organizations to protect sensitive
unclassified data. Protection of data during transmission or while in storage may be necessary to maintain the
confidentiality and integrity of the information represented by the data. This Recommendation defines the mathematical
steps required to cryptographically protect data using TDEA and to subsequently process such protected data. TDEA is
made available for use by Federal agencies within the context of a total security program consisting of physical security
procedures, good information management practices, and computer system/network access controls.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-67-Rev.%201
Final SP 800-68 Rev. 110/1/2008 Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
Topic Audit & Accountability; Authentication; Maintenance
Keyword Federal Desktop Core Configuration; host security; Windows security; Windows XP security
Page 29 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final SP 800-68 Rev. 110/1/2008 Access Control; Audit & Accountability; Configuration Management; Identification & Authentication; Maintenance; System
& Communication Protection; System & Information Integrity; System & Communication Protection
Abstract This publication assists IT professionals in securing Windows XP workstations, mobile computers, and computers used by
telecommuters within various environments. The recommendations are specifically intended for Windows XP Professional
systems running Service Pack 2 or 3. SP 800-68 Revision 1 provides detailed information about the security features of
Windows XP and security configuration guidelines. The publication recommends and explains tested, secure settings with
the objective of simplifying the administrative burden of improving the security of Windows XP systems in five types of
environments: small office/home office, enterprise, specialized security-limited functionality, legacy, and Federal Desktop
Core Configuration (FDCC).
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-68-Rev.%201
Final SP 800-69 9/1/2006 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
Topic Maintenance
Keyword Microsoft Windows; telecommuting; Windows XP; Windows XP Home Edition
Family
Abstract The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory
responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. This
publication seeks to assist information technology (IT) professionals who may be responsible for securing Windows XP
Home Edition computers within home offices for their organizations. Portions of the publication can also be used by home
users, such as telecommuting Federal civilian agency employees and private sector organizations or individuals, to
secure their personal Windows XP Home Edition computers from common threats such as malware and to keep their
computers secure.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-69
Final SP 800-70 Rev. 22/1/2011 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
Topic Security Automation
Keyword Checklists; baseline; security configuration; security measurement; vulnerability measurement; vulnerability scoring
Family Configuration Management; System & Communication Protection
Abstract Special Publication 800-70 Revision 2, National Checklist Program for IT Products Guidelines for Checklist Users and
Developers, describes security configuration checklists and their benefits, and it explains how to use the NIST National
Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and
general requirements for participation in the NCP. SP 800-70 Revision 2 updates the previous version of the document,
which was released in 2009, primarily by adding additional SCAP-oriented guidance and content related to the United
States Government Configuration Baseline (USGCB).
Page 30 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-70 Rev. 22/1/2011 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-70-Rev.%202
Final SP 800-72 11/1/2004 Guidelines on PDA Forensics
Topic Forensics
Keyword Computer forensics; digital evidence; mobile device security
Family Audit & Accountability; Identification & Authentication; Media Protection
Abstract Forensic specialists periodically encounter unusual devices and new technologies normally not envisaged as having
immediate relevance from a digital forensics perspective. The objective of the guide is twofold: to help organizations
evolve appropriate policies and procedures for dealing with Personal Digital Assistants (PDAs), and to prepare forensic
specialists to deal with new situations when they are encountered. This guide provides an in-depth look into PDAs and
explains associated technologies and their impact on the procedures for forensic specialists. It covers the characteristics
of three families of devices: Pocket PC, Palm OS, and Linux based PDAs and the relevance of various operating systems
associated.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-72
DRAFT SP 800-73-4 5/13/2013 Interfaces for Personal Identity Verification
Topic Authentication; Biometrics; Cryptography; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards
Keyword authentication; FIPS 201; identity credential; logical access control; on-card biometric comparison; Personal Identity
Verification (PIV); physical access control; smart cards; secure messaging
Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection
Abstract FIPS 201 defines the requirements and characteristics of a government-wide interoperable identity credential. FIPS 201
also specifies that this identity credential must be stored on a smart card. This document, SP 800-73, contains the
technical specifications to interface with the smart card to retrieve and use the PIV identity credentials. The specifications
reflect the design goals of interoperability and PIV Card functions. The goals are addressed by specifying a PIV data
model, card edge interface, and application programming interface. Moreover, this document enumerates requirements
where the international integrated circuit card standards [ISO7816] include options and branches. The specifications go
further by constraining implementers’ interpretations of the normative standards. Such restrictions are designed to ease
implementation, facilitate interoper ability, and ensure performance, in a manner tailored for PIV applications.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsDrafts.html#800-73-4
Page 31 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final SP 800-73-3 2/1/2010 Interfaces for Personal Identity Verification
Topic Authentication; Biometrics; Cryptography; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards
Keyword HSPD-12; PIV; PACS; FIPS 201; PIV authentication mechanisms; Smart Card
Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection
Abstract FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, defines procedures for the PIV
lifecycle activities including identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201 also
specifies that the identity credentials must be stored on a smart card. SP 800-73-3 contains the technical specifications to
interface with the smart card to retrieve and use the identity credentials. The specifications reflect the design goals of
interoperability and PIV Card functions. The goals are addressed by specifying a PIV data model, card edge interface, and
application programming interface. Moreover, SP 800-73-3 enumerates requirements where the standards include options
and branches.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-73--3
Final SP 800-76-1 1/1/2007 Biometric Data Specification for Personal Identity Verification
Topic Biometrics; Personal Identity Verification (PIV)
Keyword Conformance Test; SP 800-73; Personal Identity Verification; Derived Test Requirement; Test Assertions
Family Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Physical &
Environmental Protection; System & Services Acquisition
Abstract This document, Special Publication 800-76, is a companion document to FIPS 201, Personal Identity Verification (PIV) of
Federal Employees and Contractors. It describes technical acquisition and formatting specifications for the biometric
credentials of the PIV system, including the PIV Card itself. It enumerates procedures and formats for fingerprints and
facial images by restricting values and practices included generically in published biometric standards. The primary
design objective behind these particular specifications is high performance universal interoperability. For the preparation
of biometric data suitable for the Federal Bureau of Investigation (FBI) background check, SP 800-76 references FBI
documentation, including the ANSI/NIST Fingerprint Standard and the Electronic Fingerprint Transmission Specification.
This document does not preclude use of other biometric modalities in conjunction with the PIV card.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-76--1
800-76-2 7/11/2013 Biometric Specifications for Personal Identity Verification
Topic Biometrics; Personal Identity Verification (PIV)
Keyword biometrics; credentials; identity management
Page 32 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final SP 800-76-2 7/11/2013 Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Physical &
Environmental Protection; System & Services Acquisition
Abstract Homeland Security Presidential Directive HSPD-12, Policy for a Common Identification Standard for Federal Employees and
Contractors [HSPD-12], called for new standards to be adopted governing interoperable use of identity credentials to allow physical and
logical access to Federal government locations and systems. The Personal Identity Verification (PIV) standard for Federal Employees
and Contractors, Federal Information Processing Standard Personal Identity Verification (PIV) of Federal Employees and Contractors
(FIPS 201), was developed to define procedures and specifications for issuance and use of an interoperable identity credential. This
document, Special Publication 800-76 (SP 800-76), is a companion document to FIPS 201. It describes technical acquisition and
formatting specifications for the PIV system, including the PIV Card itself. It also establishes minimum accuracy specifications for
deployed biometric authentication processes. The approach is to enumerate procedures and formats for collection and preparation of
fingerprint, iris and facial data, and to restrict values and practices included generically in published biometric standards. The primary
design objective behind these particular specifications is to enable high performance and universal interoperability. The introduction of
iris and face specifications into the current edition adds alternative modalities for biometric authentication and extends coverage to
persons for whom fingerprinting is problematic. The addition of on-card comparison offers an alternative to PIN-mediated card activation
as well as an additional authentication method.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-76--2
Final SP 800-77 12/1/2005 Guide to IPsec VPNs
Topic Communications & Wireless
Keyword IPsec; network security; virtual private network; VPN
Family Access Control; Identification & Authentication; Maintenance; System & Communication Protection
Abstract IPsec is a framework of open standards for ensuring private communications over public networks. It has become the most common
network layer security control, typically used to create a virtual private network (VPN). A VPN is a virtual network, built on top of existing
physical networks, that can provide a secure communications mechanism for data and control information transmitted between
networks. VPNs are used most often to protect communications carried over public networks such as the Internet. A VPN can provide
several types of data protection, including confidentiality, integrity, data origin authentication, replay protection and access control.
Although VPNs can reduce the risks of networking, they cannot totally eliminate them. This document discusses the need for network
layer security and introduces the concept of virtual private networking (VPN). It covers the fundamentals of IPsec, focusing on its primary
components: the Encapsulating Security Payload (ESP), the Authentication Header (AH), and the Internet Key Exchange (IKE). It
describes issues to be considered during IPsec planning and implementation. It also discusses several alternatives to IPsec and
describes when each method may be appropriate. Several case studies are presented, that show how IPsec could be used in various
scenarios. It ends with a brief discussion of future directions for IPsec. The document contains an IPsec-related bibliography and lists of
print and online resources and tools that may be useful for IPsec planning and implementation.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-77
DRAFT SP 800-78-4 5/13/2013 Cryptographic Algorithms and Key Sizes for Personal Identity Verification
Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart
Cards
Page 33 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword DRAFT SP 800-78-4 5/13/2013 cryptographic algorithm; FIPS 201; identity credential; Personal Identity Verification (PIV); smart cards
Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection
Abstract Federal Information Processing Standard 201 (FIPS 201) defines requirements for the PIV lifecycle activities including
identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201 also defines the structure of an identity
credential that includes cryptographic keys. This document contains the technical specifications needed for the mandatory
and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and
the related Special Publication 800-73,Interfaces for Personal Identity Verification [SP800-73], and SP 800-76,Biometric
Data Specification for Personal Identity Verification [SP800-76], that rely on cryptographic functions.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsDrafts.html#800-78-4
Final SP 800-78-3 12/1/2010 Cryptographic Algorithms and Key Sizes for Personal Identification Verification
Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart
Cards
Keyword PIV; FIPS 201; HSPD-12; Cryptography; digital signature; authentication; Personal Identity Verification; PIV
Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection
Abstract This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified
in FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, as well as the supporting
infrastructure specified in FIPS 201 and the related Special Publication 800-73, Interfaces for Personal Identity
Verification, and SP 800-76, Biometric Data Specification for Personal Identity Verification, that rely on cryptographic
functions.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-78--3
Final SP 800-79-1 6/1/2008 Guidelines for the Accreditation of Personal Identity Verification Card Issuers
Topic Personal Identity Verification (PIV); Services & Acquisitions
Page 34 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final SP 800-79-1 6/1/2008 Accreditation; credentials; HSPD-12; PCI; Personal Identity Verification; PIV; security assessment
Family Certification, Accreditation & Security Assessments
Abstract The purpose of this publication is to provide appropriate and useful guidelines for accrediting the reliability of issuers of
Personal Identity Verification cards that are established to collect, store, and disseminate personal identity credentials and
issue smart cards, based on the standards published in response to Homeland Security Presidential Directive 12 (HSPD-
12). These issuers, who are the target of assessment and accreditation, are called Personal Identity Verification Card
Issuers or PCIs. The reliability of PCIs is of utmost importance when one organization (e.g., a Federal agency or Federal
contractor) is required to trust the identity credentials and cards of individuals that were created and issued, respectively,
by another organization. This trust will only exist if organizations relying on the credentials and cards issued by a given
organization have the necessary level of assurance that the reliability of the issuing organization has been established
through a formal accreditation process.
This publication provides an assessment and accreditation methodology for verifying that issuers of PIV credentials and
cards are reliably adhering to standards and implementation directives developed under HSPD-12.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-79--1
Final SP 800-81 Rev. 14/1/2010 Secure Domain Name System (DNS) Deployment Guide
Topic Communications & Wireless; Planning
Keyword Checklists; denial of service; DNS; DNS Security Extensions; DNSSEC; Domain Name System; information system
security; Internet Protocol (IP); risks; vulnerabilities
Family Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Planning; System &
Communication Protection
Abstract This document provides deployment guidelines for securing the Domain Name System (DNS) in any enterprise a
government agency or a corporate entity. The deployment guidelines follow from an analysis of security objectives and
consequent protection approaches for all DNS components. This document was originally published in May 2006. Since
then the following IETF RFCs , FIPS and NIST Cryptographic guidance documents have been published and this revision
takes into account the specifications and recommendations found in those documents - DNNSEC Operational Practices
(RFC 4641), Automated Updates for DNS Security (DNSSEC) Trust Anchors (RFC 5011), DNS Security
(DNSSEC)Hashed Authenticated Denial of Existence (RFC 5155), HMAC SHA TSIG Algorithm Identifiers (RFC 4635),
The Keyed-Hash Message Authentication Code (HMAC) (FIPS 198-1), Digital Signature Standard (FIPS 186-3) and
Recommendations for Key Management (SP 800-57P1 & SP 800-57P3). In addition this revision provides illustrations of
Secure configuration examples using DNS Software offering NSD, in addition to BIND, guidelines on Procedures for
migrating to a new Cryptographic Algorithm for signing of the Zone (Section 11.5), guidelines for Procedures for migrating
to NSEC3 specifications from NSEC for providing authenticated denial of existence (Section 11.6) and deployment
guidelines for Split-Zone under different scenarios (Section 11.7).
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-81-Rev.%201
800-81-2 9/13/2013 Secure Domain Name System (DNS) Deployment Guide
Topic Communications & Wireless; Planning
Keyword Authoritative Name Server; Caching Name Server; Domain Name System (DNS); DNS Query/Response; DNS Security
Extensions (DNSSEC); Resource Record (RR); Trust Anchor; Validating Resolver
Page 35 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final SP 800-81-2 9/13/2013 Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Planning; System &
Communication Protection
Abstract The Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-
friendly domain names rather than IP addresses, by translating domain names to IP addresses and back. The DNS
infrastructure is made up of computing and communication entities called Name Servers each of which contains
information about a small portion of the domain name space. The domain name data provided by DNS is intended to be
available to any computer located anywhere in the Internet.This document provides deployment guidelines for securing
DNS within an enterprise. Because DNS data is meant to be public, preserving the confidentiality of DNS data. The
primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of
domain name information and maintain the integrity of domain name information in transit. This document provides
extensive guidance on maintaining data integrity and performing source authentication. DNS components are often
subjected to denial-of-service attacks intended to disrupt access to the resources whose domain names are handled by
the attacked DNS components. This document presents guidelines for configuring DNS deployments to prevent many
denial-of-service attacks that exploit vulnerabilities in various DNS components.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-81--2
Final SP 800-82 Rev. 15/14/2013 Guide to Industrial Control Systems (ICS) Security
Topic Cyber-Physical Systems & Smart Grid; Risk Assessment
Keyword computer security; distributed control systems (DCS); industrial control systems (ICS); information security; network
security; programmable logic controllers (PLC); risk management; security controls; supervisory control and data
acquisition (SCADA) systems
Family
Abstract This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and
Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as
Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements.
The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to
these systems, and provides recommended security countermeasures to mitigate the associated risks.
Legal Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-82-Rev.%201
Final SP 800-83 Rev. 17/22/2013 Guide to Malware Incident Prevention and Handling for Desktops and Laptops
Topic Incident Response; Maintenance; Viruses & Malware
Keyword incident response; information security; malware
Family Access Control; Audit & Accountability; Configuration Management; Contingency Planning; Incident Response; Risk
Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition
Page 36 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-83 Rev. 17/22/2013 Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent
to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability
of the victim’s data, applications, or operating system. Malware is the most common external threat to most hosts, causing
widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This
publication provides recommendations for improving an organization’s malware incident prevention measures. It also
gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better
prepared to handle malware incidents, particularly widespread ones.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-83-Rev.%201
Final SP 800-84 9/1/2006 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
Topic Certification & Accreditation (C&A); Contingency Planning; Incident Response; Maintenance; Risk Assessment
Keyword Contingency plan; exercise; FISMA; incident response plan; test; training and exercise
Family
Abstract The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory
responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. This
publication seeks to assist organizations in designing, developing, conducting, and evaluating test, training, and exercise
(TT&E) events in an effort to aid personnel in preparing for adverse situations involving information technology (IT). The
events are designed to train personnel, exercise IT plans, and test IT systems, so that an organization can maximize its
ability to prepare for, respond to, manage, and recover from disasters that may affect its mission. The guide describes the
design, development, conduct, and evaluation of events for single organizations, as opposed to large-scale events that
may involve multiple organizations.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-84
Final SP 800-85A-2 7/1/2010 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance)
Topic Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards
Keyword PIV; HSPD-12; Smart Cards; Identity Management; Testing; SP 800-73-3
Family Certification, Accreditation & Security Assessments; System & Information Integrity; System & Services Acquisition
Abstract The objective of this document is to provide test requirements and test assertions that could be used to validate the
compliance/conformance of two PIV components: PIV middleware and PIV card application with the specification in NIST
SP 800-73-3, Interfaces for Personal Identity Verification.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-A-2
DRAFT SP 800-85B-1 9/1/2009 PIV Data Model Test Guidelines
Topic Personal Identity Verification (PIV); Services & Acquisitions
Page 37 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword DRAFT SP 800-85B-1 9/1/2009
Family Certification, Accreditation & Security Assessments; System & Information Integrity; System & Services Acquisition
Abstract A robust testing framework and guidelines to provide assurance that a particular component or system is compliant with
FIPS201 and supporting standards should exist to build the necessary PIV infrastructure to support common unified
processes and systems for government-wide use. NIST developed test guidelines in two parts. The first part addresses
test requirements for the interface to the PIV card, which are provided in NIST Special Publication 800-85 (SP80085A).
The second part provides test requirements for the PIV data model and is provided in this document. This document
specifies the derived test requirements, and the detailed test assertions and conformance tests for testing the PIV data
model.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-B-1
Final SP 800-85B 7/1/2006 PIV Data Model Test Guidelines
Topic Personal Identity Verification (PIV); Services & Acquisitions
Keyword Personal Identity Verification; PIV Card; HSPD-12; FIPS 201; PIV Data Model Testing; Smart Card
Family Certification, Accreditation & Security Assessments; System & Information Integrity; System & Services Acquisition
Abstract In order to build the necessary PIV infrastructure to support common unified processes and government-wide use of
identity credentials, NIST developed this test guidance document that ensures interoperability of PIV data. This document
provides test requirements for the PIV data model. This test guidance document specifies the test plan, processes,
derived test requirements, and the detailed test assertions / conformance tests for testing the PIV data model.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-B
Final SP 800-86 8/1/2006 Guide to Integrating Forensic Techniques into Incident Response
Topic Forensics; Incident Response
Keyword FISMA; Forensics; Incident Response
Family Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication; Media
Protection; Physical & Environmental Protection; System & Information Integrity
Page 38 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-86 8/1/2006 This publication is intended to help organizations in investigating computer security incidents and troubleshooting some
information technology (IT) operational problems by providing practical guidance on performing computer and network
forensics. The guide presents forensics from an IT view, not a law enforcement view. Specifically, the publication
describes the processes for performing effective forensics activities and provides advice regarding different data sources,
including files, operating systems (OS), network traffic, and applications.
The publication is not to be used as an all-inclusive step-by-step guide for executing a digital forensic investigation or
construed as legal advice. Its purpose is to inform readers of various technologies and potential ways of using them in
performing incident response or troubleshooting activities. Readers are advised to apply the recommended practices only
after consulting with management and legal counsel for compliance concerning laws and regulations (i.e., local, state,
Federal, and international) that pertain to their situation.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-86
Final SP 800-87 Rev. 14/1/2008 Codes for Identification of Federal and Federally-Assisted Organizations
Topic Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards
Keyword HSPD-12; PIV; PACS; FIPS 201; identity credentials; Smart Card; personal identification verification
Family Access Control; Identification & Authentication
Abstract The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the
interoperable use of identity credentials to allow physical and logical access to Federal government locations and
systems. The Personal Identity Verification (PIV) for Federal Employees and Contractors, (Federal Information Processing
Standard 201 (FIPS 201)) was developed to establish standards for identity credentials. This document, Special
Publication 800-87 (SP 800-87), provides the organizational codes necessary to establish the PIV Federal Agency Smart
Credential Number (PIV FASC-N) that is required to be included in the FIPS 201 Card Holder Unique Identifier (CHUID)
and is a companion document to FIPS 201.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-87-Rev.%201
DRAFT SP 800-88 Rev. 19/6/2012 Guidelines for Media Sanitization
Topic Certification & Accreditation (C&A); Forensics; General IT Security; Maintenance; Risk Assessment
Keyword
Family Maintenance; Media Protection; Risk Assessment
Abstract SP 800-88 discussed methods, techniques and best practices for the sanitization of target data on different media types
and risk based approaches organizations can apply to establish and maintain a media sanitization program.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-88-Rev.%201
Final SP 800-88 9/11/2006 Guidelines for Media Sanitization
Page 39 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Topic Final SP 800-88 9/11/2006 Certification & Accreditation (C&A); Forensics; General IT Security; Maintenance; Risk Assessment
Keyword Information disposal; media disposal; media sanitization; storage security; purge, sanitization
Family Maintenance; Media Protection; Risk Assessment
Abstract Information systems capture, process, and store information using a wide variety of media. This information is located not only on the
intended storage media but also on devices used to create, process, or transmit this information. These media may require special
disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective
management of information created, processed, and stored by an information technology (IT) system throughout its life, from inception
through disposition, is a primary concern of an information system owner and the custodian of the data. With the more prevalent use of
increasingly sophisticated encryption, an attacker wishing to gain access to an organization?s sensitive information is forced to look
outside the system itself for that information. One avenue of attack is the recovery of supposedly deleted data from media. These
residual data may allow unauthorized individuals to reconstruct data and thereby gain access to sensitive information. Sanitization can
be used to thwart this attack by ensuring that deleted data cannot be easily recovered. When storage media are transferred, become
obsolete, or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical,
electrical, or other representation of data that has been deleted is not easily recoverable. Sanitization refers to the general process of
removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.
This guide will assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of
their information.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-88
Final SP 800-89 11/1/2006 Recommendation for Obtaining Assurances for Digital Signature Applications
Topic Authentication; Digital Signatures; PKI
Keyword assurance; Certification Authority; digital signatures; timestamp token;
Trusted Timestamp Authority
Family Audit & Accountability; Planning; System & Communication Protection
Abstract Entities participating in the generation or verification of digital signatures depend on the authenticity of the process. This
Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of
domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the
private key, and assurance of the identity of the key pair owner.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-89
DRAFT SP 800-90A Rev. 14/21/2014 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
Topic Cryptography
Keyword deterministic random bit generator (DRBG); entropy; hash function; random number generator
Family System & Communication Protection
Abstract This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods
provided are based on either hash functions, block cipher algorithms or number theoretic problems.
Legal
Link http://csrc.nist.gov/publications/PubsDrafts.html#800-90Ar1
Final SP 800-90A 1/1/2012 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
Page 40 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Topic Final SP 800-90A 1/1/2012 Cryptography
Keyword deterministic random bit generator (DRBG); entropy; hash function; random number generator
Family System & Communication Protection
Abstract This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods
provided are based on either hash functions, block cipher algorithms or number theoretic problems.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-90-A
DRAFT SP 800-90B 9/9/2013 Recommendation for the Entropy Sources Used for Random Bit Generation
Topic Cryptography
Keyword deterministic random bit generator (DRBG); entropy; hash function; random number generator; noise source; entropy
source; conditioning component J58
Family System & Communication Protection
Abstract This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit
Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with
Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators,
as specified in SP 800-90C.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#800-90ABC
DRAFT SP 800-90C 9/9/2013 Recommendation for Random Bit Generator (RBG) Constructions
Topic Cryptography
Keyword deterministic random bit generator (DRBG), entropy, entropy source, non-
deterministic random bit generator (NRBG), random number generator, source of entropy input
Family System & Communication Protection
Abstract SP 800-90C specifies constructions for the implementation of random bit generators (RBGs). An RBG may be a
deterministic random bit generator (DRBG) or a non-deterministic random bitgenerator (NRBG). The constructed RBGs
consist of DRBG mechanisms as specified SP 800-90A and entropy sources as specified in SP 800-90B.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#800-90ABC
Final SP 800-92 9/1/2006 Guide to Computer Security Log Management
Topic Audit & Accountability
Keyword computer security log management; FISMA; log management
Family Audit & Accountability; Incident Response; Media Protection; Physical & Environmental Protection; System & Information
Integrity
Page 41 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-92 9/1/2006 The National Institute of Standards and Technology (NIST) developed this doocument in furtherance of its statutory
responsibilities under the Federal Information security Management Act (FISMA) of 2002, Public Law 107-347. This
publication seeks to assist organizations in understanding the need for sound computer security log management. It
provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices
throughout an enterprise. The guidance in this publication covers several topics, including establishing log management
infrastuctures, and developing and performing robust log management processes throughout an organization. The
publication presents logging technologies from a high-level viewpoint, and it is not a step-by-step guide to implementing or
using logging technologies.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-92
Final SP 800-94 2/1/2007 Guide to Intrusion Detection and Prevention Systems (IDPS)
Topic Audit & Accountability; Forensics; Incident Response; Planning
Keyword FISMA; intrusion detection; intrusion detection and prevention; intrusion prevention
Family Audit & Accountability; Incident Response; Planning
Abstract The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory
responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. This
publication seeks to assist organizations in understanding intrusion detection system (IDS) and intrusion prevention
system (IPS) technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion
detection and prevention systems (IDPS). It provides practical, real-world guidance for each of four classes of IDPS:
network-based, wireless, network behavior analysis software, and host-based. The publication also provides an overview
of complementary technologies that can detect intrusions, such as security information and event management software.
It focuses on enterprise IDPS, but most of the information in the publication is also applicable to standalone and small-
scale IDPS deployments.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-94
DRAFT SP 800-94 Rev. 17/25/2012 Guide to Intrusion Detection and Prevention Systems (IDPS)
Topic Audit & Accountability; Forensics; Incident Response; Planning
Keyword
Family Audit & Accountability; Incident Response; Planning
Page 42 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract DRAFT SP 800-94 Rev. 17/25/2012 Intrusion detection and prevention systems (IDPS) are focused on identifying possible incidents, logging information about
them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for
other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals
from violating security policies. This publication describes the characteristics of IDPS technologies and provides
recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of
IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are
deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network
behavior analysis (NBA), and host-based.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-94-Rev.%201
Final SP 800-95 8/1/2007 Guide to Secure Web Services
Topic General IT Security; Planning; Research
Keyword Application security; Web services
Family Planning; System & Communication Protection
Abstract The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks.
Web services based on the eXtensible Markup Language (XML), SOAP, and related open standards, and deployed in
Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic
and ad hoc connections. The security challenges presented by the Web services approach are formidable and
unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic
application-to-application connections, and relative autonomy are at odds with traditional security models and controls.
Ensuring the security of Web services involves augmenting traditional security mechanisms with security frameworks
based on use of authentication, authorization, confidentiality, and integrity mechanisms. This document describes how to
implement those security mechanisms in Web services. It also discusses how to make Web services and portal
applications robust against the attacks to which they are subject.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-95
Final SP 800-96 9/1/2006 PIV Card to Reader Interoperability Guidelines
Topic Personal Identity Verification (PIV); Smart Cards
Page 43 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final SP 800-96 9/1/2006 Personal Identity Verification; PIV Card; PIV Card Reader; HSPD-12; FIPS 201
Family Access Control; Identification & Authentication; Physical & Environmental Protection
Abstract The purpose of this document is to present recommendations for Personal Identity Verification (PIV) card readers in the
area of performance and communications characteristics to foster interoperability. This document is not intended to re-
state or contradict requirements specifically identified in Federal Information Processing Standard 201 (FIPS 201) or its
associated documents. It is intended to augment existing standards to enable agencies to achieve the interoperability goal
of Homeland Security Presidential Directive 12 (HSPD-12).
The document provides requirements that facilitate interoperability between any card and any reader. Specifically, the
recommendations are for end-point cards and readers designed to read end-point cards.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-96
Final SP 800-97 2/1/2007 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
Topic Communications & Wireless; Services & Acquisitions
Keyword IEEE 802.11; network security; Wi-Fi; wireless local area network; wireless networking
Family Access Control; Identification & Authentication; System & Communication Protection; System & Services Acquisition
Abstract This report provides readers with a detailed explanation of next generation 802.11 wireless security. It describes the
inherently flawed Wired Equivalent Privacy (WEP) and explains 802.11i's two-step approach (interim and long-term)to
providing effective wireless security. It describes secure methods used to authenticate users in a wireless environment,
and presents several sample case studies of wireless deployment. It also includes guidance on best practices for
establishing secure wireless networks using the emerging Wi-Fi technology.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-97
Final SP 800-98 4/1/2007 Guidelines for Securing Radio Frequency Identification (RFID) Systems
Topic Communications & Wireless; Planning
Keyword Radio Frequency Identification; RFID; Security; Privacy
Family Identification & Authentication; Physical & Environmental Protection; System & Communication Protection; System &
Services Acquisition
Abstract This publication seeks to assist organizations in understanding the risks of RFID technology and security measures to
mitigate those risks. It provides practical, real-world advice on how to initiate, design, implement and operate RFID
systems in a manner that mitigates security and privacy risks. The document also provides background information on
RFID applications, standards, and system components to assist in the understanding of RFID security risks and controls.
This document presents information that is independent of particular hardware platforms, operating systems, and
applications. The emphasis is on RFID systems that are based on industry and international standards, although the
existence of proprietary approaches is noted when they offer relevant security features not found in current standards.
Page 44 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-98 4/1/2007 E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-98
Final SP 800-100 3/7/2007 Information Security Handbook: A Guide for Managers
Topic General IT Security
Keyword Awareness; capital planning; certification; configuration management; contingency plan; incident response;
interconnecting systems; performance measures; risk management; security governance; security plans; security
services; system development life cycle; training
Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System &
Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract This Information Security Handbook provides a broad overview of information security program elements to assist
managers in understanding how to establish and implement an information security program. Typically, the organization
looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls
and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were
selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the
Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-
130. The material in this handbook can be referenced for general information on a particular topic or can be used in the
decision making process for developing an information security program. National Institute of Standards and Technology
(NIST) Interagency Report (IR) 7298, Glossary of Key Information Security Terms, provides a summary glossary for the
basic security terms used throughout this document. While reading this handbook, please consider that the guidance is
not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business
requirements.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-100
DRAFT SP 800-101 Rev. 19/4/2013 Guidelines on Mobile Device Forensics
Topic Communications & Wireless; Forensics; Incident Response; Research; Services & Acquisitions
Keyword Computer forensics; digital evidence; mobile device security
Family Incident Response; Planning; System & Services Acquisition
Page 45 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract DRAFT SP 800-101 Rev. 19/4/2013 Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound
conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This
guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining the technologies
involved and their relationship to forensic procedures.
The goal of mobile forensics is the practice of utilizing sound methodologies for the acquisition of data contained within
the internal memory of a mobile device and associated media providing the ability to accurately report one’s findings.
This guide also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital
evidence. The issue of ever increasing backlogs for most digital forensics labs is addressed and guidance is provided on
handling on-site triage casework.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-101-Rev.%201
Final SP 800-101 5/1/2007 Guidelines on Cell Phone Forensics
Topic Communications & Wireless; Forensics; Incident Response; Research; Services & Acquisitions
Keyword Computer Forensics; Cell Phones; Digital Evidence
Family Incident Response; Planning; System & Services Acquisition
Abstract Forensic specialists periodically encounter unusual devices and new technologies outside of traditional computer
forensics. Cell phones are an emerging area with such characteristics. The objective of this guide is twofold: to help
organizations evolve appropriate policies and procedures for dealing with cell phones, and to prepare forensic specialists
to contend with new circumstances involving cell phones, when they arise. This guide provides an in-depth look into cell
phones and explains associated technologies and their effect on the procedures followed by forensic specialists. It also
discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital information present
on cell phones, as well as available forensic software tools that support those activities.
Page 46 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-101 5/1/2007 E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-101
Final SP 800-102 9/1/2009 Recommendation for Digital Signature Timeliness
Topic Authentication; Cryptography; Digital Signatures
Keyword Digital signatures; timeliness; timestamp; Trusted Timestamp Authority
Family System & Communication Protection
Abstract Establishing the time when a digital signature was generated is often a critical consideration. A signed message that
includes the (purported) signing time provides no assurance that the private key was used to sign the message at that
time unless the accuracy of the time can be trusted. With the appropriate use of digital signature-based timestamps from a
Trusted Timestamp Authority (TTA) and/or verifier-supplied data that is included in the signed message, the signatory can
provide some level of assurance about the time that the message was signed.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-102
DRAFT SP 800-103 10/6/2006 An Ontology of Identity Credentials - Part 1: Background and Formulation
Topic Authentication; Biometrics; General IT Security; Personal Identity Verification (PIV); Smart Cards
Keyword
Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection; System &
Communication Protection
Abstract This document provides the broadest possible range of identity credentials and supporting documents insofar as they
pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued
within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a
framework for retention and exchange of identity credential information.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Page 47 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Link DRAFT SP 800-103 10/6/2006 http://csrc.nist.gov/publications/PubsSPs.html#SP-800-103
Final SP 800-104 6/1/2007 A Scheme for PIV Visual Card Topography
Topic Authentication; Personal Identity Verification (PIV); Smart Cards
Keyword PIV; FIPS 201; personal identification verification
Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection
Abstract The purpose of this document is to provide additional recommendations on the Personal Identity Verification (PIV) Card
color-coding for designating employee affiliation. The recommendations in this document complement FIPS 201 in order
to increase the reliability of PIV card visual verification.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Conduct Security Awareness Training
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-104
Final SP 800-106 2/1/2009 Randomized Hashing for Digital Signatures
Topic Cryptography; Digital Signatures
Keyword Digital signature; cryptographic hash function; hash function; collision resistance; randomized hashing.
Family Identification & Authentication; System & Communication Protection; System & Information Integrity
Abstract NIST-approved digital signature algorithms require the use of an approved cryptographic hash function in the generation
and verification of signatures. Approved cryptographic hash functions and digital signature algorithms can be found in
FIPS 180-3, Secure Hash Standard (SHS), and FIPS 186-3, Digital Signature Standard (DSS), respectively. The security
provided by the cryptographic hash function is vital to the security of a digital signature application. This Recommendation
specifies a method to enhance the security of the cryptographic hash functions used in digital signature applications by
randomizing the messages that are signed.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-106
Final SP 800-107 Rev. 18/1/2012 Recommendation for Applications Using Approved Hash Algorithms
Topic Cryptography; Digital Signatures
Keyword Digital signatures; hash algorithms; cryptographic hash function; hash function; hash-based key derivation algorithms;
hash value; HMAC; message digest; randomized hashing; random number generation; SHA; truncated hash values.
Family Identification & Authentication; System & Communication Protection; System & Information Integrity
Page 48 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-107 Rev. 18/1/2012 Hash functions that compute a fixed-length message digest from arbitrary length messages are widely used for many
purposes in information security. This document provides security guidelines for achieving the required or desired security
strengths when using cryptographic applications that employ the approved hash functions specified in Federal Information
Processing Standard (FIPS) 180-4. These include functions such as digital signatures, Keyed-hash Message
Authentication Codes (HMACs) and Hash-based Key Derivation Functions (Hash-based KDFs).
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-107-Rev.%201
Final SP 800-108 10/1/2009 Recommendation for Key Derivation Using Pseudorandom Functions (Revised)
Topic Cryptography; General IT Security
Keyword Key derivation; pseudorandom function.
Family
Abstract This Recommendation specifies techniques for the derivation of additional keying material from a secret key, either
established through a key establishment scheme or shared through some other manner, using pseudorandom functions.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-108
Final SP 800-111 11/1/2007 Guide to Storage Encryption Technologies for End User Devices
Topic Cryptography; General IT Security
Keyword Computer security; mobile device security; removable media security; storage encryption; storage security
Family Configuration Management; Media Protection; System & Communication Protection; System & Information Integrity
Abstract Many threats against end user devices, such as desktop and laptop computers, smart phones, personal digital assistants,
and removable media, could cause information stored on the devices to be accessed by unauthorized parties. To prevent
such disclosures of information, the information needs to be secured. This publication explains the basics of storage
encryption, which is the process of using encryption and authentication to restrict access to and use of stored information.
The appropriate storage encryption solution for a particular situation depends primarily upon the type of storage, the
amount of information that needs to be protected, the environments where the storage will be located, and the threats that
need to be mitigated. This publication describes three types of solutions—full disk encryption, volume and virtual disk
encryption, and file/folder encryption—and makes recommendations for implementing and using each type. This
publication also includes several use case examples, which illustrate that there are multiple ways to meet most storage
encryption needs.
Page 49 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-111 11/1/2007 Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-111
Final SP 800-113 7/1/2008 Guide to SSL VPNs
Topic Authentication; Communications & Wireless; Cryptography; Planning
Keyword Secure sockets layer; secure remote access; SSL; TLS; transport layer security; virtual private network; VPN
Family Access Control; Identification & Authentication; Planning; System & Communication Protection; System & Information
Integrity
Abstract Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) provide users with secure remote access to an
organization's resources. An SSL VPN consists of one or more VPN devices to which users connect using their Web
browsers. The traffic between the Web browser and SSL VPN device is encrypted with the SSL protocol. SSL VPNs can
provide remote users with access to Web applications and client/server applications, as well as connectivity to internal
networks. They offer versatility and ease of use because they use the SSL protocol, which is included with all standard
Web browsers, so special client configuration or installation is often not required. In planning a VPN deployment, many
organizations are faced with a choice between an IPsec-based VPN and an SSL-based VPN. This document seeks to
assist organizations in understanding SSL VPN technologies. The publication also makes recommendations for
designing, implementing, configuring, securing, monitoring, and maintaining SSL VPN solutions. SP 800-113 provides a
phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments.
It also includes a comparison with other similar technologies such as Internet Protocol Security (IPsec) VPNs and other
VPN solutions.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-113
Final SP 800-114 11/1/2007 User's Guide to Securing External Devices for Telework and Remote Access
Topic Authentication; Communications & Wireless; General IT Security
Keyword Remote access secuity; romote access; telework
Family Access Control; Configuration Management; System & Communication Protection
Page 50 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-114 11/1/2007 This publication helps teleworkers secure the external devices they use for telework, such as personally owned and
privately owned desktop and laptop computers and consumer devices (e.g., cell phones, personal digital assistants
[PDA]). The document focuses specifically on security for telework involving remote access to their organization's
nonpublic computing resources. It provides practical, real-world recommendations for securing telework computers
operating systems (OS) and applications, as well as home networks that the computers use. It presents basic
recommendations for securing consumer devices used for telework. The document also presents advice on protecting the
information stored on telework computers and removable media. In addition, it provides tips on considering the security of
a device owned by a third party before deciding whether it should be used for telework.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-114
Final SP 800-115 9/1/2008 Technical Guide to Information Security Testing and Assessment
Topic Audit & Accountability; Certification & Accreditation (C&A); Communications & Wireless; Risk Assessment; Services &
Acquisitions
Keyword Penetration testing; risk assessment; security assessment; security examination; security testing; vulnerability scanning
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Risk Assessment; System & Communication
Protection; System & Information Integrity; System & Services Acquisition
Abstract The purpose of this document is to assist organizations in planning and conducting technical information security tests
and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical
recommendations for designing, implementing, and maintaining technical information security test and examination
processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or
network and verifying compliance with a policy or other requirements. The guide is not intended to present a
comprehensive information security testing and examination program but rather an overview of key elements of technical
security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each,
and recommendations for their use.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-115
Final SP 800-116 11/1/2008 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
Topic Authentication; Biometrics; Cryptography; General IT Security; Personal Identity Verification (PIV); PKI; Planning; Risk
Assessment; Smart Cards
Keyword HSPD-12; PIV; PACS; FIPS 201; PIV authentication mechanisms; Smart Card
Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection; Planning
Page 51 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-116 11/1/2008 This document provides best practice guidelines for integrating the PIV Card with the physical access control systems
(PACS) that authenticate the cardholders in Federal facilities. Specifically, this document recommends a risk-based
approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal government
facilities and assets. This document also proposes a PIV implementation maturity model to measure the progress of
facility and agency implementations.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-116
DRAFT SP 800-117 Rev. 11/6/2012 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk
Assessment; Security Automation; Services & Acquisitions
Keyword
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident
Response; Maintenance; Risk Assessment; System & Communication Protection
Abstract The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2.
This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to
enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2
capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for
maintaining or verifying the security of systems in operational environments.
Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-117-Rev.%201
Final SP 800-117 7/1/2010 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security
Automation; Services & Acquisitions
Keyword Security automation; security configuration management; Security Content Automation Protocol (SCAP); vulnerability
management
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Maintenance;
Risk Assessment; System & Communication Protection; System & Services Acquisition
Abstract The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP). This
document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance
their security posture. It also explains to IT product and service vendors how they can adopt SCAP's capabilities within
their offerings.
Page 52 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-117 7/1/2010 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-117
DRAFT SP 800-118 4/21/2009 Guide to Enterprise Password Management
Topic Authentication; Cryptography; General IT Security; Planning; Risk Assessment
Keyword
Family Identification & Authentication; Planning; Risk Assessment; System & Communication Protection; System & Information
Integrity
Abstract SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based
passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and
local password management solutions.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-118
Final SP 800-119 12/1/2010 Guidelines for the Secure Deployment of IPv6
Topic Communications & Wireless; General IT Security; Planning
Keyword IPv6; network security; Internet Protocol
Family Planning; System & Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract Due to the exhaustion of IPv4 address space, and the Office of Management and Budget (OMB) mandate that U.S.
federal agencies begin to use the IPv6 protocol, NIST undertook the development of a guide to help educate federal
agencies about the possible security risks during their initial IPv6 deployment. Since IPv6 is not backwards compatible
with IPv4, organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should
begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will
enable an organization to navigate the process smoothly and securely. This document provides guidelines for
organizations to aid in securely deploying IPv6. The goals of this document are to: educate the reader about IPv6 features
and the security impacts of those features; provide a comprehensive survey of mechanisms that can be used for the
deployment of IPv6; and provide a suggested deployment strategy for moving to an IPv6 environment. After reviewing this
document, the reader should have a reasonable understanding of IPv6 and how it compares to IPv4, security impacts of
IPv6 features and capabilities, as-yet unknown impacts of IPv6 deployment, and increased knowledge and awareness
about the range of IPv4 to IPv6 transition mechanisms.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-119
Final SP 800-120 9/1/2009 Recommendation for EAP Methods Used in Wireless Network Access Authentication
Topic Authentication; Communications & Wireless; Cryptography; General IT Security
Keyword EAP methods; authentication; key establishment.
Family Access Control
Abstract This Recommendation specifies security requirements for authentication methods with key establishment supported by
the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal
networks.
Legal
Page 53 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Link Final SP 800-120 9/1/2009 http://csrc.nist.gov/publications/PubsSPs.html#SP-800-120
Final SP 800-121 Rev. 16/1/2012 Guide to Bluetooth Security
Topic Authentication; Communications & Wireless; Services & Acquisitions
Keyword Bluetooth; Bluetooth security; wireless networking; wireless network security; wireless personal area networks
Family Access Control; System & Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract Bluetooth is an open standard for short-range radio frequency communication. Bluetooth technology is used primarily to
establish wireless personal area networks (WPANs), and it has been integrated into many types of business and
consumer devices. This publication provides information on the security capabilities of Bluetooth technologies and gives
recommendations to organizations employing Bluetooth technologies on securing them effectively. The Bluetooth versions
within the scope of this publication are versions 1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 + High Speed
(HS), and 4.0, which includes Low Energy (LE) technology.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-121-Rev.%201
Final SP 800-122 4/1/2010 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Topic General IT Security; Planning; Risk Assessment
Keyword PII; confidentiality; privacy; PII confidentiality impact level; FIPS 199; personally identifiable information
Family Access Control; Audit & Accountability; Identification & Authentication; Media Protection; Planning; Risk Assessment;
System & Communication Protection
Abstract The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable
information (PII) in information systems. The document explains the importance of protecting the confidentiality of PII in
the context of information security and explains its relationship to privacy using the the Fair Information Practices, which
are the principles underlying most privacy laws and privacy best practices. PII should be protected from inappropriate
access, use, and disclosure. This document provides practical, context-based guidance for identifying PII and determining
what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer
appropriate levels of protection for PII and provides recommendations for developing response plans for incidents
involving PII. Organizations are encouraged to tailor the recommendations to meet their specific requirements.
Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-122
Final SP 800-123 7/1/2008 Guide to General Server Security
Topic General IT Security; Maintenance; Planning
Keyword Host security; server security
Family Access Control; Audit & Accountability; Configuration Management; Identification & Authentication; Incident Response;
Maintenance; Physical & Environmental Protection; Planning; System & Communication Protection; System & Information
Integrity
Page 54 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-123 7/1/2008 The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of
securing and maintaining the security of servers that provide services over network communications as a main function.
The document discusses the need to secure servers and provides recommendations for selecting, implementing, and
maintaining the necessary security controls.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-123
Final SP 800-124 Rev. 16/21/2013 Guidelines for Managing the Security of Mobile Devices in the Enterprise
Topic Authentication; Communications & Wireless; Research; Services & Acquisitions; Viruses & Malware
Keyword cell phone security; information security; mobile device security; mobility; remote access; smartphone security; tablet
security; telework
Family Access Control; Configuration Management; Media Protection; Planning; System & Communication Protection; System &
Information Integrity; System & Services Acquisition
Abstract The purpose of this publication is to help organizations centrally manage and secure mobile devices against a variety of
threats. This publication provides recommendations for selecting, implementing, and using centralized management
technologies, and it explains the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1
includes securing both organization-provided and personally-owned (bring your own device) mobile devices.
Legal Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-124-Rev%201
Final SP 800-125 1/1/2011 Guide to Security for Full Virtualization Technologies
Topic Cloud Computing & Virtualization; Planning; Risk Assessment
Keyword Virtualization; hypervisor; VMM; virtual machine; VM; cloud computing
Family Access Control; Configuration Management; Planning; Risk Assessment; System & Communication Protection; System &
Information Integrity
Abstract The purpose of SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server
and desktop virtualization, and to provide recommendations for addressing these concerns. Full virtualization technologies
run one or more operating systems and their applications on top of virtual hardware. Full virtualization is used for
operational efficiency, such as in cloud computing, and for allowing users to run applications for multiple operating
systems on a single computer.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-125
Final SP 800-126 11/1/2009 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0
Page 55 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Topic Final SP 800-126 11/1/2009 Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security
Automation; Services & Acquisitions
Keyword Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content
automation
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Maintenance;
Risk Assessment; System & Communication Protection; System & Services Acquisition
Abstract This document defines the technical specification for Version 1.0 of the Security Content Automation Protocol (SCAP).
SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software
communicates information about software flaws and security configurations. This document describes the basics of the
SCAP component specifications and their interrelationships, the characteristics of SCAP content, as well as SCAP
requirements not defined in the individual SCAP component specifications. This guide provides recommendations on how
to use SCAP to achieve security automation for organizations seeking to implement SCAP.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126
800-126 Rev. 12/1/2011 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security
Automation; Services & Acquisitions
Keyword Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content
automation
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Maintenance;
Risk Assessment; System & Communication Protection; System & Services Acquisition
Abstract This document provides the definitive technical specification for Version 1.1 of the Security Content Automation Protocol
(SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security
software communicates information about software flaws and security configurations. This document defines all SCAP
Version 1.1 requirements that are not defined in the individual SCAP component specifications.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126-Rev.%201
800-126 Rev. 29/1/2011 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
Topic Audit & Accountability; Certification & Accreditation (C&A); Digital Signatures; General IT Security; Incident Response;
Maintenance; Risk Assessment; Security Automation; Services & Acquisitions; Viruses & Malware
Page 56 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final SP 800-126 Rev. 29/1/2011 Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content
automation
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident
Response; Maintenance; Risk Assessment; System & Communication Protection; System & Services Acquisition
Abstract This document provides the definitive technical specification for version 1.2 of the Security Content Automation Protocol
(SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which information
about software flaws and security configurations is communicated, both to machines and humans. This document defines
requirements for creating and processing SCAP content. These requirements build on the requirements defined within the
individual SCAP component specifications. Each new requirement pertains either to using multiple component
specifications together or to further constraining one of the individual component specifications.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126-Rev.%202
Final SP 800-127 9/1/2010 Guide to Securing WiMAX Wireless Communications
Topic Authentication; Communications & Wireless; Cryptography
Keyword WiMAX; wireless metropolitan area network; wireless network security
Family Access Control; Identification & Authentication; System & Communication Protection; System & Services Acquisition
Abstract The purpose of this document is to provide information to organizations regarding the security capabilities of wireless
communications using WiMAX networks and to provide recommendations on using these capabilities. WiMAX technology
is a wireless metropolitan area network (WMAN) technology based upon the IEEE 802.16 standard. It is used for a variety
of purposes, including, but not limited to, fixed last-mile broadband access, long-range wireless backhaul, and access
layer technology for mobile wireless subscribers operating on telecommunications networks.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-127
Final SP 800-128 8/1/2011 Guide for Security-Focused Configuration Management of Information Systems
Topic Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security Automation
Keyword Configuration management; information systems; security program; risk management framework; security-focused
continuous monitoring; SecCM; control; monitoring; security content automation protocol (SCAP)
Family Configuration Management
Page 57 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-128 8/1/2011 The purpose of Special Publication 800-128, Guide for Security-Focused Configuration Management of Information
Systems, is to provide guidelines for organizations responsible for managing and administering the security of federal
information systems and associated environments of operation. Configuration management concepts and principles
described in NIST SP 800-128, provide supporting information for NIST SP 800-53, Recommended Security Controls for
Federal Information Systems and Organizations. NIST SP 800-128 assumes that information security is an integral part of
an organization’s overall configuration management. The focus of this document is on implementation of the information
system security aspects of configuration management, and as such the term security-focused configuration management
(SecCM) is used to emphasize the concentration on information security. In addition to the fundamental concepts
associated with SecCM, the process of applying SecCM practices to information systems is described. The goal of
SecCM activities is to manage and monitor the configurations of information systems to achieve adequate security and
minimize organizational risk while supporting the desired business functionality and services.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-128
Final SP 800-130 8/15/2013 A Framework for Designing Cryptographic Key Management Systems
Topic Cryptography
Keyword access control; confidentiality; cryptographic key management system; cryptographic keys; framework; integrity; key
management policies; key metadata; source authentication
Family
Abstract This Framework for Designing Cryptographic Key Management Systems (CKMS) contains topics that should be
considered by a CKMS designer when developing a CKMS design specification. For each topic, there are one or more
documentation requirements that need to be addressed by the design specification. Thus, any CKMS that addresses each
of these requirements would have a design specification that is compliant with this Framework.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-130
Final SP 800-131A 1/1/2011 Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
Topic Cryptography
Keyword Cryptographic algorithm; digital signatures; encryption; hash function; key agreement; key derivation; key management;
key transport; key wrapping; message authentication codes; random number generation; security strength; transition.
Family
Abstract At the start of the 21st century, the National Institute of Standards and Technology (NIST) began the task of providing
cryptographic key management guidance, which includes defining and implementing appropriate key management
procedures, using algorithms that adequately protect sensitive information, and planning ahead for possible changes in
the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. NIST
Special Publication (SP) 800-57, Part 1 was the first document produced in this effort, and includes a general approach for
transitioning from one algorithm or key length to another. This Recommendation (SP 800-131A) provides more specific
guidance for transitions to the use of stronger cryptographic keys and more robust algorithms.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-131-A
Page 58 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final SP 800-132 12/1/2010 Recommendation for Password-Based Key Derivation: Part 1: Storage Applications
Topic Authentication; Cryptography; General IT Security
Keyword Password-Based Key Derivation Functions; Salt; Iteration Count; Protection of data in storage.
Family Access Control
Abstract This Recommendation specifies techniques for the derivation of master keys from passwords or passphrases to protect
stored electronic data or data protection keys.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-132
Final SP 800-133 11/1/2012 Recommendation for Cryptographic Key Generation
Topic Cryptography
Keyword asymmetric key; key agreement; key derivation; key generation; key replacement; key transport; key update; key
wrapping; private key; public key; symmetric key
Family
Abstract Cryptography is often used in an information technology security environment to protect data that is sensitive, has a high
value, or is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage.
Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a cryptographic key.
This Recommendation discusses the generation of the keys to be managed and used by the approved cryptographic
algorithms.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-133
Final SP 800-135 Rev. 112/1/2011 Recommendation for Existing Application-Specific Key Derivation Functions
Topic Cryptography
Keyword Cryptographic key; shared secret; Diffie-Hellman (DH) key exchange; hash function; Key Derivation Function (KDF); Hash-
based Key Derivation Function; Randomness Extraction; Key expansion; Pseudorandom Function (PRF); HMAC; ANS
X9.42-2001; ANS X9.63-2001; IKE; SSH; TLS; SRTP; SNMP and TPM.
Family
Abstract Cryptographic keys are vital to the security of internet security applications and protocols. Many widely-used internet
security protocols have their own application-specific Key Derivation Functions (KDFs) that are used to generate the
cryptographic keys required for their cryptographic functions. This Recommendation provides security requirements for
those KDFs.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-135-Rev.%201
Final SP 800-137 9/1/2011 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
Topic Certification & Accreditation (C&A); General IT Security; Planning; Risk Assessment
Keyword Continuous monitoring; ISCM; information security; security; risk management
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Planning;
Program Management; Risk Assessment
Page 59 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-137 9/1/2011 The purpose of this guideline is to assist organizations in the development of a continuous monitoring strategy and the
implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats
and vulnerabilities, and visibility into the effectiveness of deployed security controls. It provides ongoing assurance that
planned and implemented security controls are aligned with organizational risk tolerance as well as the information
needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-137
DRAFT FIPS 140-3 12/11/2009 Security Requirements for Cryptographic Modules (Revised Draft)
Topic Audit & Accountability; Authentication; Communications & Wireless; Cryptography; Digital Signatures; PKI; Planning;
Services & Acquisitions
Keyword computer security; telecommunication security; physical security; software security; cryptography; cryptographic modules;
Federal Information Processing Standard (FIPS).
Family Identification & Authentication; System & Communication Protection; System & Information Integrity
Abstract The selective application of technological and related procedural safeguards is an important responsibility of every
Federal organization in providing adequate security in its computer and telecommunication systems. This standard is
applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in
computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information
Technology Management Reform Act of 1996, Public Law 104-106 and the Federal Information Security Management Act
of 2002, Public Law 107-347. This standard shall be used in designing and implementing cryptographic modules that
Federal departments and agencies operate or are operated for them under contract. The standard provides four
increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The
security requirements cover areas related to the secure design, implementation, operation and disposal of a cryptographic
module. These areas include cryptographic module specification; cryptographic module physical ports and logical
interfaces; roles, authentication, and services; software security; operational environment; physical security; physical
security – non-invasive attacks; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation
of other attacks.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-140--3
Final FIPS 140-2 12/3/2002 Security Requirements for Cryptographic Modules
Topic Audit & Accountability; Communications & Wireless; Cryptography; Digital Signatures; PKI; Planning; Services &
Acquisitions
Keyword computer security; cryptographic module; FIPS 140-2; validation
Family Identification & Authentication; System & Communication Protection; System & Information Integrity
Page 60 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final FIPS 140-2 12/3/2002 This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a
cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications
and environments. The areas covered, related to the secure design and implementation of a cryptographic module,
include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security;
operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility
(EMI/EMC); self-tests; design assurance; and mitigation of other attacks.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-140--2
Final SP 800-142 10/1/2010 Practical Combinatorial Testing
Topic Research
Keyword Combinatorial methods; computer security; software assurance; software testing
Family
Abstract Combinatorial testing can help detect problems like this early in the testing life cycle. The key insight underlying t-way
combinatorial testing is that not every parameter contributes to every fault and most faults are caused by interactions
between a relatively small number of parameters. This publication provides a self-contained tutorial on using
combinatorial testing for real-world software, including how to use it effectively for system and software assurance. It
introduces the key concepts and methods, explains use of software tools for generating combinatorial tests (freely
available on the NIST web site csrc.nist.gov/acts), and discusses advanced topics such as the use of formal models of
software to determine the expected results for each set of test inputs. With each topic, a section on costs and practical
considerations explains tradeoffs and limitations that may impact resources or funding. The material is accessible to an
undergraduate student of computer science or engineering, and includes an extensive set of references to papers that
provide more depth on each topic.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-142
Final SP 800-144 12/1/2011 Guidelines on Security and Privacy in Public Cloud Computing
Topic Cloud Computing & Virtualization; Planning; Research; Services & Acquisitions
Keyword Cloud Computing; Computer Security and Privacy; Information Technology Outsourcing
Family Planning
Abstract Cloud computing can and does mean different things to different people. The common characteristics most interpretations
share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered
services from nearly anywhere, and displacement of data and services from inside to outside the organization. While
aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This
publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out
considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud
environment.
Page 61 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal Final SP 800-144 12/1/2011 Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-144
Final SP 800-145 9/1/2011 The NIST Definition of Cloud Computing
Topic Cloud Computing & Virtualization; Planning; Research
Keyword Cloud Computing; SaaS; PaaS; IaaS; On-demand Self Service; Reserve Pooling; Rapid Elasticity; Measured Service;
Software as a Service; Platform as a Service; Infrastructure as a Service
Family
Abstract Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service provider interaction. This cloud model is composed
of five essential characteristics, three service models, and four deployment models.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-145
Final SP 800-146 5/29/2012 Cloud Computing Synopsis and Recommendations
Topic Cloud Computing & Virtualization; Planning; Research
Keyword cloud computing, computer security, virtualization
Family
Abstract This document reprises the NIST-established definition of cloud computing, describes cloud computing benefits and open
issues, presents an overview of major classes of cloud technology, and provides guidelines and recommendations on how
organizations should consider the relative opportunities and risks of cloud computing.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-146
Final SP 800-147 4/1/2011 BIOS Protection Guidelines
Topic Authentication; Awareness & Training; Certification & Accreditation (C&A); Contingency Planning; Cryptography; Digital
Signatures; General IT Security; Incident Response; Maintenance; PKI
Keyword BIOS; firmware; security; firmware updates; basic input/output system; BIOS firmware; system BIOS
Family Access Control; System & Information Integrity; System & Services Acquisition
Page 62 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final SP 800-147 4/1/2011 This document provides guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS)
firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant
threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification
could be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is
corrupted) or a persistent malware presence (if the BIOS is implanted with malware).
As used in this publication, the term BIOS refers to conventional BIOS, Extensible Firmware Interface (EFI) BIOS, and
Unified Extensible Firmware Interface (UEFI) BIOS. This document applies to system BIOS firmware (e.g., conventional
BIOS or UEFI BIOS) stored in the system flash memory of computer systems, including portions that may be formatted as
Option ROMs. However, it does not apply to Option ROMs, UEFI drivers, and firmware stored elsewhere in a computer
system.
While this document focuses on current and future x86 and x64 client platforms, the controls and procedures are
independent of any particular system design. Likewise, although the guide is oriented toward enterprise-class platforms,
the necessary technologies are expected to migrate to consumer-grade systems over time. Future efforts may look at boot
firmware security for enterprise server platforms.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-147
DRAFT SP 800-147B 7/30/2012 BIOS Protection Guidelines for Servers
Topic Authentication; Awareness & Training; Certification & Accreditation (C&A); Contingency Planning; Cryptography; Digital
Signatures; General IT Security; Incident Response; Maintenance; PKI
Keyword Basic Input/Output System (BIOS); information security; patch mana
gement; server security
Family Access Control; System & Information Integrity; System & Services Acquisition
Abstract This guide is intended to mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic
Input/Output System (BIOS), in server-class systems. This guide identifies security requirements and guidelines for a
secure BIOS update process, using digital signatures to authenticate updates. The intended audience for this document
includes BIOS and platform vendors of server-class systems, and information system security professionals who are
responsible for procuring, deploying, and managing servers.
This document is the second in a series of publications on BIOS protections. The first document, SP800-147, BIOS
Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in
enterprise environments. In the future, NIST intends to develop a new publication providing an overview of BIOS
protections for IT security professionals to be released as SP800-147rev1, and will reissue the current SP800-147 as
SP800-147A at that time.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-147-B
Page 63 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
DRAFT SP 800-152 1/6/2014 A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)
Topic Cryptography
Keyword access control; confidentiality; cryptographic key management system; key metadata; disaster recovery; integrity; security
assessment; security policies; source authentication
Family
Abstract This Profile for U. S. Federal Cryptographic Key Management Systems (FCKMSs) contains requirements for their design,
implementation, procurement, installation, configuration, management, operation, and use by U. S. Federal organizations.
The Profile is based on SP 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS).
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-152
Final SP 800-153 2/1/2012 Guidelines for Securing Wireless Local Area Networks (WLANs)
Topic Communications & Wireless; General IT Security; Planning; Risk Assessment
Keyword Wireless Local Area Network; WLAN; IEEE 802.11; 802.11; access points; AP; wireless networking; wireless networking
security
Family Access Control; Configuration Management; Planning; Risk Assessment; System & Communication Protection
Abstract A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as
an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on
how well each WLAN component—including client devices, access points (AP), and wireless switches—is secured
throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring.
The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for
WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and
strengthening their key recommendations.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-153
DRAFT SP 800-155 12/8/2011 BIOS Integrity Measurement Guidelines
Topic General IT Security
Keyword
Family Configuration Management
Abstract This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output
System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its
unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow
or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is
corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are
intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take
appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are
oriented to desktops and laptops deployed in an enterprise environment.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-155
DRAFT SP 800-157 3/7/2014 Guidelines for Derived Personal Identity Verification (PIV) Credentials
Topic
Page 64 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword DRAFT SP 800-157 3/7/2014 authentication; credentials; derived PIV credentials; electronic authentication; electronic credentials; mobile devices;
personal identity verification; PIV
Family
Abstract This recommendation provides technical guidelines for the implementation of standards-based, secure, reliable,
interoperable PKI-based identity credentials that are issued by Federal departments and agencies to individuals who
possess and prove control over a valid PIV Card. The scope of this document includes requirements for initial issuance,
maintenance and termination of these credentials, certificate policies and cryptographic specifications, technical
specifications for permitted cryptographic token types and the command interfaces for the removable implementations of
such cryptographic tokens.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-157
DRAFT SP 800-161 8/16/2013 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
Topic Cyber-Physical Systems & Smart Grid; General IT Security; Incident Response; Maintenance; Planning; Risk
Assessment; Services & Acquisitions
Keyword acquirer; criticality analysis; external service provider; information and communication technology (ICT); integrator; risk
management; supplier; supply chain
Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Program Management; Risk
Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition
Abstract This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating
Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT
supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-
tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and
guidance.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks; OMB Circular A-130: Management of Federal Information Resources, Appendix III:
Security of Federal Automated Information Resources/Certify & Accredit Systems; OMB Circular A-130: Management of
Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Conduct Security
Awareness Training; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of
Federal Automated Information Resources/Develop Contingency Plans & Procedures; OMB Circular A-130: Management
of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System
Configurations & Security throughout the System Development Life Cycle; OMB Circular A-130: Management of Federal
Information Resources, Appendix III: Security of Federal Automated Information Resources/Mandates Agency-Wide
Information Security Program Development & Implementation
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-161
Final SP 800-162 1/16/2014 Guide to Attribute Based Access Control (ABAC) Definition and Considerations
Topic Research
Keyword access control; access control mechanism; access control model; access control policy; attribute based access control
(ABAC); authorization; privilege
Page 65 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final SP 800-162 1/16/2014 Access Control
Abstract This document provides Federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical
access control methodology where authorization to perform a set of operations is determined by evaluating attributes
associated with the subject, object, requested operations, and, in some cases, environment conditions against policy,
rules, or relationships that describe the allowable operations for a given set of attributes. This document also provides
considerations for using ABAC to improve information sharing within organizations and between organizations while
maintaining control of that information.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-162
DRAFT SP 800-164 10/31/2012 Guidelines on Hardware-Rooted Security in Mobile Devices
Topic Communications & Wireless; General IT Security
Keyword information security; mobile device security; root of trust; smartphone; tablet
Family System & Information Integrity
Abstract The guidelines in this document are intended to provide a common baseline of security technologies that can be
implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices
brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own
Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage-
through the use of hardware-based roots of trust.
The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security
software vendors, carriers, application software developers and information system security professionals who are
responsible for managing the mobile devices in an enterprise environment.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-164
Final SP 800-165 7/22/2013 Computer Security Division 2012 Annual Report
Topic Annual Reports
Keyword Federal Information Security Management Act; FISMA; Computer Security Division; CSD; information security
Family
Abstract Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002,
requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming
year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a component
of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects information
systems against threats to the confidentiality, integrity, and availability of information and services. During Fiscal Year
2012 (FY 2012), CSD successfully responded to numerous challenges and opportunities in fulfilling that mission. Through
CSD's diverse research agenda and engagement in many national priority initiatives, high-quality, cost-effective security
and privacy mechanisms were developed and applied that improved information security across the federal government
and the greater information security community. This annual report highlights the research agenda and activities in which
CSD was engaged during FY 2012.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#800-165
Page 66 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
DRAFT SP 800-168 1/27/2014 Approximate Matching: Definition and Terminology
Topic Cryptography; Forensics
Keyword approximate matching; digital forensics
Family
Abstract Approximate matching is a promising technology for designed to identify similarities between two digital artifacts. It is used
to find objects that resemble each other or to find objects that are contained in another object. This can be very useful for
filtering data for security monitoring, digital forensics, or other applications.
Legal
Link http://csrc.nist.gov/publications/PubsSPs.html#800-168
Final FIPS 180-4 3/6/2012 Secure Hash Standard (SHS)
Topic Authentication; Cryptography; Digital Signatures
Keyword computer security; cryptography; message digest; hash function; hash algorithm; Federal Information Processing
Standards; Secure Hash Standard
Family System & Communication Protection; System & Information Integrity
Abstract This standard specifies hash algorithms that can be used to generate digests of messages. The digests are used to detect
whether messages have been changed since the digests were generated.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-180--4
Final FIPS 181 10/5/1993 Automated Password Generator
Topic Authentication; Cryptography
Keyword automated password generator; computer security; Federal Information Processing Standard; FIPS; password; random
numbers
Family System & Communication Protection; System & Information Integrity
Abstract The Automated Password Generator Standard specifies an algorithm to generate passwords for the protection of
computer resources. This standard is for use in conjunction with FIPS PUB 112, Password Usage Standard, which
provides basic security criteria for the design, implementation, and use of passwords. The algorithm uses random
numbers to select the characters that form the random pronounceable passwords. The random numbers are generated by
a random number subroutine based on the Electronic Codebook mode of the Data Encryption Standard (DES) (FIPS PUB
46-1). The random number subroutine uses a pseudorandom DES key generated in accordance with the procedure
described in Appendix C of ANSI X9.17.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-181
Final FIPS 185 2/9/1994 Escrowed Encryption Standard
Topic Cryptography
Keyword Cryptography; Federal Information Processing Standard; encryption; key escrow system; security
Family
Page 67 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final FIPS 185 2/9/1994 This standard specifies an encryption/decryption algorithm and a Law Enforcement Access Field (LEAF) creation method
which may be implemented in electronic devices and used for protecting government telecommunications when such
protection is desired. The algorithm and the LEAF creation method are classified and are referenced, but not specified, in
the standard. Electronic devices implementing this standard may be designed into cryptographic modules which are
integrated into data security products and systems for use in data security applications. The LEAF is used in a key escrow
system that provides for decryption of telecommunications when access to the telecommunications is lawfully authorized.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-185
Final FIPS 186-4 7/19/2013 Digital Signature Standard (DSS)
Topic Authentication; Cryptography; Digital Signatures
Keyword computer security; cryptography; Digital Signature Algorithm; digital signatures; Elliptic Curve Digital Signature Algorithm;
Federal Information Processing Standard; public
Family System & Communication Protection
Abstract The Standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used
to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of
signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact,
generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the
signature at a later time. This Standard specifies three techniques for the generation and verification of digital signatures:
DSA, ECDSA and RSA. This revision increases the length of the keys allowed for DSA, provides additional requirements
for the use of ECDSA and RSA, and includes requirements for obtaining assurances necessary for valid digital signatures.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#186-4
Final FIPS 188 9/6/1994 Standard Security Label for Information Transfer
Topic Maintenance; Planning
Keyword Application Layer security; computer communications security; Computer Security Objects Register; Federal Information
Processing Standard; Information Transfer security labels; Network Layer security; security labels; security protocols
Family Access Control
Abstract Information Transfer security labels convey information used by protocol entities to determine how to handle data
communicated between open systems. Information on a security label can be used to control access, specify protective
measures, and determine handling restrictions required by a communications security policy. This standard defines a
security label syntax for information exchanged over data networks and provides encodings of that syntax for use at the
Application and Network Layers. The syntactic constructs defined in this standard are intended to be used along with
semantics provided by the authority establishing the security policy for the protection of the information exchanged. A
separate NIST document, referenced in an informative appendix, defines a Computer Security Objects Register (CSOR)
that serves as repository for label semantics.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-188
Final FIPS 190 9/28/1994 Guideline for the Use of Advanced Authentication Technology Alternatives
Topic Authentication; Cryptography
Page 68 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final FIPS 190 9/28/1994 computer security; cryptographic modules; cryptography; Federal Information Processing Standards Publication;
telecommunication security
Family Identification & Authentication; System & Communication Protection
Abstract This Guideline describes the primary alternative methods for verifying the identities of computer system users, and
provides recommendations to Federal agencies and departments for the acquisition and use of technology which supports
these methods. Although the traditional approach to authentication relies primarily on passwords, it is clear that password-
only authentication often fails to provide an adequate level of protection. Stronger authentication techniques become
increasingly more important as information processing evolves toward an open systems environment. Modern technology
has produced authentication tokens and biometric devices which are reliable, practical, and cost-effective. Passwords,
tokens, and biometrics can be used in various combinations to provide far greater assurance in the authentication process
than can be attained with passwords alone.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-190
Final FIPS 191 11/9/1994 Guideline for The Analysis of Local Area Network Security
Topic Audit & Accountability; Certification & Accreditation (C&A); Maintenance; Planning; Risk Assessment
Keyword Federal Information Processing Standards Publication (FIPS PUB); local area network (LAN); LAN security; risk; security;
security mechanism; security service; threat; vulnerability
Family
Abstract This guideline discusses threats and vulnerabilities and considers technical security services and security mechanisms.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-191
Final FIPS 196 2/18/1997 Entity Authentication Using Public Key Cryptography
Topic Authentication; Cryptography; PKI
Keyword access control; authentication; challenge-response; computer security; cryptographic modules; cryptography; Federal
Information Processing Standard (FIPS); telecommunications security
Family
Abstract This standard specifies two challenge-response protocols by which entities in a computer system may authenticate their
identities to one another. These may be used during session initiation, and at any other time that entity authentication is
necessary. Depending on which protocol is implemented, either one or both entities involved may be authenticated. The
defined protocols are derived from an international standard for entity authentication based on public key cryptography,
which uses digital signatures and random number challenges. Authentication based on public key cryptography has an
advantage over many other authentication schemes because no secret information has to be shared by the entities
involved in the exchange. A user (claimant) attempting to authenticate oneself must use a private key to digitally sign a
random number challenge issued by the verifying entity. This random number is a time variant parameter which is unique
to the authentication exchange. If the verifier can successfully verify the signed response using the claimant's public key,
then the claimant has been successfully authenticated.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-196
Final FIPS 197 11/26/2001 Advanced Encryption Standard
Topic Cryptography
Page 69 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final FIPS 197 11/26/2001 algorithm; block cipher; ciphertext; cryptographic algorithm; cryptographic keys; decryption; encryption
Family System & Communication Protection
Abstract The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect
electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher)
information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data
back into its original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256
bits to encrypt and decrypt data in blocks of 128 bits.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-197
Final FIPS 198-1 7/16/2008 The Keyed-Hash Message Authentication Code (HMAC)
Topic Cryptography
Keyword computer security; cryptography; HMAC; MAC; message authentication; Federal Information Processing Standards
(FIPS)
Family Audit & Accountability; System & Communication Protection; System & Information Integrity
Abstract This Standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication
using cryptographic hash functions. HMAC can be used with any iterative Approved cryptographic hash function, in
combination with a shared secret key.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-198--1
Final FIPS 199 2/1/2004 Standards for Security Categorization of Federal Information and Information Systems
Topic Audit & Accountability; Certification & Accreditation (C&A); Planning; Risk Assessment
Keyword classification; Federal information; Federal information systems; FIPS; security
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Planning; Program Management; Risk
Assessment
Abstract The purpose of this document is to provide a standard for categorizing federal information and information systems
according to an agency's level of concern for confidentiality, integrity, and availability and the potential impact on agency
assets and operations should their information and information systems be compromised through unauthorized access,
use, disclosure, disruption, modification, or destruction.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-199
Final FIPS 200 3/1/2006 Minimum Security Requirements for Federal Information and Information Systems
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Planning
Keyword risk-assessment; security controls; security requirements
Page 70 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final FIPS 200 3/1/2006 Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments;
Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System &
Communication Protection; System & Information Integrity; System & Services Acquisition;
Abstract FIPS 200 is the second standard that was specified by the Information Technology Management Reform Act of 1996
(FISMA). It is an integral part of the risk management framework that the National Institute of Standards and Technology
(NIST) has developed to assist federal agencies in providing levels of information security based on levels of risk. FIPS
200 specifies minimum security requirements for federal information and information systems and a risk-based process for
selecting the security controls necessary to satisfy the minimum requirements.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Certify & Accredit Systems
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-200
Final FIPS 201-1 6/23/2006 Personal Identity Verification (PIV) of Federal Employees and Contractors
Topic Biometrics; Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards
Keyword Architecture; authentication; authorization; biometrics; credential; cryptography; Federal Information Processing Standards
(FIPS); HSPD 12; identification; identity; infrastructure; model; Personal Identity Verification; PIV; validation; verification.
Family Access Control; Identification & Authentication; Planning; System & Communication Protection
Abstract This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and
contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed
identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government
information systems.
The standard contains two major sections. Part one describes the minimum requirements for a Federal personal identity verification
system that meets the control and security objectives of Homeland Security Presidential Directive 12, including personal identity
proofing, registration, and issuance. Part two provides detailed specifications that will support technical interoperability among PIV
systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to
securely store, process, and retrieve identity credentials from the card. The physical card characteristics, storage media, and data
elements that make up identity credentials are specified in this standard. The interfaces and card architecture for storing and retrieving
identity credentials from a smart card are specified in Special Publication 800-73, Interfaces for Personal Identity Verification. Similarly,
the interfaces and data formats of biometric information are specified in Special Publication 800-76, Biometric Data Specification for
Personal Identity Verification.
This standard does not specify access control policies or requirements for Federal departments and agencies.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Page 71 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Link Final FIPS 201-1 6/23/2006 http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-201--1
201-2 8/31/2013 Personal Identity Verification (PIV) of Federal Employees and Contractors
Topic Biometrics; Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards
Keyword architecture; authentication; authorization; biometrics; credential; cryptography; Federal Information Processing Standards
(FIPS); HSPD-12; identification; identity; infrastructure; model; Personal Identity Verification; PIV; public key infrastructure;
PKI; validation; verification.
Family Access Control; Identification & Authentication; Planning; System & Communication Protection
Abstract This Standard specifies the architecture and technical requirements for a common identification standard for Federal employees and
contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed
identity of individuals seeking physical access to Federally controlled government facilities and logical access to government information
systems.
The Standard contains the minimum requirements for a Federal personal identity verification system that meets the control and security
objectives of Homeland Security Presidential Directive-12 [HSPD-12], including identity proofing, registration, and issuance. The
Standard also provides detailed specifications that will support technical interoperability among PIV systems of Federal departments
and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve
identity credentials from the card. The physical card characteristics, storage media, and data elements that make up identity credentials
are specified in this Standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are
specified in Special Publication 800-73, Interfaces for Personal Identity Verification. The interfaces and data formats of biometric
information are specified in Special Publication 800-76, Biometric Specifications for Personal Identity Verification. The requirements for
cryptographic algorithms are specified in Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity
Verification. The requirements for the accreditation of the PIV Card issuers are specified in Special Publication 800-79, Guidelines for
the Accreditation of Personal Identity Verification Card Issuers. The unique organizational codes for Federal agencies are assigned in
Special Publication 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations. The requirements for card
readers are specified in Special Publication 800-96, PIV Card to Reader Interoperability Guidelines. The format for encoding the chain-
of-trust for import and export is specified in Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export.
The requirements for issuing PIV derived credentials are specified in Special Publication 800-157, Guidelines for Derived Personal
Identity Verification (PIV) Credentials.
This Standard does not specify access control policies or requirements for Federal departments and agencies.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-201--2
DRAFT FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
Topic Authentication; Cryptography; Digital Signatures
Keyword computer security; cryptography; extendable-output function; Federal Information Processing Standard; hash algorithm;
hash function; information security; KECCAK; message digest; permutation; SHA-3; sponge construction; sponge
function; XOF
Family
Page 72 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract DRAFT FIPS 202 This Standard specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data. Each of the SHA-3
functions is based on an instance of the KECCAK algorithm that NIST selected as the winner of the SHA-3 Cryptographic
Hash Algorithm Competition. This Standard also specifies the KECCAK-p family of mathematical permutations, including
the permutation that underlies KECCAK, in order to facilitate the development of additional permutation-based
cryptographic functions.
The SHA-3 family consists of four cryptographic hash functions, called SHA3-224, SHA3-256, SHA3-384, and SHA3-512,
and two extendable-output functions (XOFs), called SHAKE128 and SHAKE256.
Hash functions are components for many important information security applications, including 1) the generation and
verification of digital signatures, 2) key derivation, and 3) pseudorandom bit generation. The hash functions specified in
this Standard supplement the SHA-1 hash function and the SHA-2 family of hash functions that are specified in FIPS 180-
4, the Secure Hash Standard.
Extendable-output functions are different from hash functions, but it is possible to use them in similar ways, with the
flexibility to be adapted directly to the requirements of individual applications, subject to additional security considerations.
Legal
Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-202
Final NISTIR 4734 2/1/1992 Foundations of a Security Policy for Use of the National Research and Educational Network
Topic
Keyword computer security policy; High-Performance Computing and Communication; HPCC; National Research and Educational
Network; NREN
Family
Abstract The National Research and Education Network (NREN) is an integral part of the planned HighPerformance Computing
and Communication (HPCC) infrastructure that will extend throughout the scientific, technical and education communities.
The projected vision is one of desks and laboratory benches as entry points to a nation-wide electronic network of
information technologies with shared access to services and resources such as high-performance computing systems,
specialized software tools, databases, scientific instruments, digital libraries, and other research facilities.
The purpose of this report is to explore the foundations of a security policy and propose a security policy for the NREN,
one that is applicable to and identifies responsibilities of all major network constituents: end users, system administrators,
management at all levels, vendors, system developers, service providers, and the Federal Networking Council.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4734
Final NISTIR 4749 6/26/1992 Sample Statements of Work for Federal Computer Security Services: For use In-House or Contracting Out
Topic
Keyword
Family
Page 73 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 4749 6/26/1992 Each federal organization is fully responsible for its computer
security program whether the security program is performed by in-
house staff or contracted out. Time constraints, budget
constraints, availability or expertise of staff, and the
potential knowledge to be gained by the organization from an
experienced contractor are among the reasons a federal
organization may wish to get external assistance for some of
these complex, labor intensive activities.
An interagency working group of federal and private sector
security specialists developed this document. The document
presents the ideas and experiences of those involved with
computer security. It supports the operational field with a set
of Statements of Works (SOWs) describing significant computer
security activities. While not a substitute for good computer
security management, organization staff and government
contractors can use these SOWs as a basis for a common
understanding of each described activity. The sample SOWs can
foster easier access to more consistent, high-quality computer
security services. The descriptions apply to contracting for
services or obtaining them from within the organization.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4749
Final NISTIR 4939 10/1/1992 Threat Assessment of Malicious Code and External Attacks
Topic
Keyword
Family
Abstract As a participant in the U. S. Army Computer
Vulnerability/Survivability Study Team, the National Institute of
Standards and Technology has been tasked with providing an
assessment of the threats associated with commercial hardware and
software. This document is the second and final deliverable under
the Military Interdepartmental Purchase Request number:
W43P6Q-92-EW138. This report provides an assessment of the threats
associated with malicious code and external attacks on systems
using commercially available hardware and software. The history of
the threat is provided and current protection methods described. A
projection of the future threats for both malicious code and human
threats is also given.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4939
Final NISTIR 4976 11/1/1992 Assessing Federal and Commercial Information Security Needs
Topic
Keyword
Family
Page 74 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 4976 11/1/1992 In a cooperative effort with government and industry, the National Institute of Standards and Technology (NIST)
conducted a study to assess the current and future information technology (IT) security needs of the commercial, civil,
and military sectors. The primary objectives of the study were to: a) determine a basic set of information protection
policies and control objectives that pertain to the secure processing needs of organizations within all sectors; and b)
identify protection requirements and technical approaches that are used, desired or sought so they can be
considered for future federal standards and guidelines. The findings of this study address the basic security needs of IT
product users, including system developers, end users, administrators, and evaluators. Security needs
have been identified based on actual existing and well-understood security organizational practices.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4976
Final NISTIR 5153 3/1/1993 Minimum Security Requirements for Multi-User Operating Systems
Topic
Keyword
Family
Abstract [NOTE: THIS DOCUMENT HAS BEEN SUPERSEDED BY THE FEDERAL CRITERIA.]
The Minimum Security Requirements for Multi-User Operating Systems (MSR)
document provides basic commercial computer system security requirements
applicable to both government and commercial organizations. These
requirements include technical measures that can be incorporated into multi-
user, remote-access, resource-sharing, and information-sharing computer
systems. The MSR document was written from the prospective of protecting the
confidentiality and integrity of an organization's resources and promoting the
continual availability of these resources. The MSR presented in this document
form the basis for the commercially oriented protection profiles in Volume II
of the draft Federal Criteria for Information Technology Security document
(known as the Federal Criteria). The Federal Criteria is currently a draft
and supersedes this document.
The MSR document has been developed by the MSR Working Group of the Federal
Criteria Project under National Institute of Standards and Technology (NIST)
leadership with a high level of private sector participation. Its contents
are based on the Trusted Computer System Evaluation Criteria (TCSEC) C2
criteria class, with additions from current computer industry practice and
commercial security requirements specifications.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5153
Final NISTIR 5232 5/1/1993 Report of the NSF/NIST Workshop on NSFNET/NREN Security, July 6-7, 1992
Topic
Keyword computer security policy; High-Performance Computing and Communication; HPCC; National Research and Educational
Network; NREN
Family
Page 75 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 5232 5/1/1993 The Workshop on NSFNET/NREN Security was hosted by NIST and sponsored by NSF to address the need for
improving the security of national computer networks. Emphasis was on identifying off-the-shelf security technology that
could be implemented in the NSF Network, especially to control access to the super computer on the network. The report
sections reflect the workshop sessions that related security aspects of distributed networks: authentication, access
control, applications security and security management. A final section details workshop recommendations.
Legal
Link
Final NISTIR 5234 10/1/1993 Report of the NIST Workshop on Digital Signature Certificate Management, December 10-11, 1992
Topic
Keyword certificate management; certificate revocation lists; public key certificate; X.509 certificates
Family
Abstract The purpose of the workshop, held at the National Institute of Standards and Technology (NIST) on December 10-11,
1992, was to review the existing and required technologies for digital signature certification authorities, and to develop
recommendations for certificate contents, formats, generation, distribution and storage. The results of the workshop will be
provided to MITRE Corporation as input to the federally sponsored study of signature certification authorities. Invited
participants represented various constituencies including the Federal Government, commercial organizations, standards
organizations, and internationsl interests. This report includes a summary of the presentations and copies of slides for
nine of the presentations.
Legal
Link
Final NISTIR 5308 12/1/1993 General Procedures for Registering Computer Security Objects
Topic
Keyword
Family
Abstract The primary purpose of this register is to specify names that
uniquely identify Computer Security Objects (CSOs). Unique names
can be used to reference objects during the negotiation of
security services for a transaction or application. The register
is also a repository of parameters associated with the registered
object.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5308
Final NISTIR 5468 6/1/1994 Report of the NIST Workshop on Key Escrow Encryption
Topic
Keyword cryptography; Escrowed Encryption Standard (EES); key escrow; SKIPJACK algorithm; telecommunications
Family
Page 76 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 5468 6/1/1994 On June 10, 1994, the National Institute of Standards and Technology (NIST) hosted a one-day workshop to present and
discuss key escrow encryption technology, including the recently-approved Escrowed Encryption Standard (EES), Federal
Information Processing Standard (FIPS) Publication 185. Speakers from government and industry presented the
objectives of key escrow encryption, its current method, several alternative methods for key escrow encryption, system
integrity requirements, international aspects of key escrowing, and future directions.
Legal
Link
Final NISTIR 5472 3/1/1994 A Head Start on Assurance: Proceedings of an Invitational Workshop on Information Technology (IT) Assurance and
Trustworthiness, March 21-23, 1994
Topic Conferences & Workshops
Keyword
Family
Abstract The purpose of the Invitational Workshop on Information Technology (IT) Assurance and Trustworthiness was to identify
crucial issues on assurance in IT systems and to provide input into the development of policy guidance on determining the
type and level of assurance appropriate in a given environment. The readers of these proceedings include those who
handle sensitive information involving national security, privacy, commercial value, integrity, and availability.
Existing IT security policy guidance is based on computer and communications architectures of the early 1980s.
Technological changes since that time mandate a review and revision of policy guidance on assurance and
trustworthiness, especially since the changes encompass such technologies as distributed systems, local area networks,
the worldwide Internet, policy-enforcing applications, and public key cryptography.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5472
Final NISTIR 5495 9/1/1994 Computer Security Training & Awareness Course Compendium
Topic
Keyword
Family
Abstract [Compendium of computer security courses offered circa 1994]
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5495
Final NISTIR 6390 9/1/1999 Randomness Testing of the Advanced Encryption Standard Candidate Algorithms
Topic Cryptography
Keyword Advanced Encryption Standard (AES); random number generators; randomness; statistical tests
Family
Abstract One of the criteria used to evaluate the Advanced Encryption Standard candidate algorithms was their demonstrated
suitability as random number generators. That is, the evaluation of their output utilizing statistical tests should not provide
any means by which to computationally distinguish them from a truly random source. This internal report lists several
characteristics which an encryption algorithm exhibiting random behavior should possess, describes how the output for
each candidate algorithm was evaluated for randomness, discusses what has been learned utilizing the NIST statistical
tests, and finally provides an interpretation of the results.
Legal
Page 77 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Link Final NISTIR 6390 9/1/1999 http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6390
Final NISTIR 6416 10/1/1999 Applying Mobile Agents to Intrusion Detection and Response
Topic Incident Response
Keyword intrusion detection; intrusion response; mobile agents
Family
Abstract Effective intrusion detection capability is an elusive goal, not solved easily or with a single mechanism. However, mobile
agents go a long way toward realizing the ideal behavior desired in an Intrusion Detection System (IDS). This report is an
initial foray into the relatively unexplored terrain of using Mobile Agents for Intrusion Detection Systems (MAIDS). It
suggests a number of innovative ways to apply agent mobility to address shortcomings of current IDS designs and
implementations, and explores several new paradigms involving mobile agents. The report looks not only at the benefits
derived from mobility, but also those inherent to agent technology, such as autonomous components. We explore these
benefits in some detail and propose specific research topics in both the intrusion detection and intrusion response areas.
We also discuss performance advantages and disadvantages that occur when using mobile agents in intrusion detection
and response. The report concludes with a rating of the proposed research topics, falling under three main areas:
performance enhancements, design improvements, and response improvements.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6416
Final NISTIR 6462 12/1/1999 CSPP - Guidance for COTS Security Protection Profiles (Formerly: CS2 - Protection Profile Guidance for Near-Term
COTS) Version 1.0
Topic Maintenance; Planning
Keyword Commercial Off-The-Shelf products; Common Criteria; COTS; networked information systems; operating systems;
Protection Profile
Family
Abstract CSPP provides the guidance necessary to develop compliant Common Criteria protection profiles for near-term,
achievable, security baselines using commercial off-the-shelf (COTS) information technology. CSPP accomplishes this
purpose by:--describing a largely policy-neutral, notional information system in the format of a protection profile (PP); --
specifying a subset of the common criteria to be used in developing compliant protection profiles; --providing the basis for
refining----policy-neutral guidance into specific policy requirements; and --system security threats, objectives, and
requirements into a subset which is appropriate for a specific PP. CSPP provides the requirements necessary to specify
needs for both stand-alone and distributed, multi-user information systems. This covers general-purpose operating
systems, database management systems, and other applications.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6462
Final NISTIR 6483 4/1/2000 Randomness Testing of the Advanced Encryption Standard Finalist Candidates
Topic Cryptography
Keyword Advanced Encryption Standard (AES); random number generators; randomness; statistical tests
Family
Page 78 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 6483 4/1/2000 Mars, RC6, Rijndael, Serpent and Twofish were selected as finalists for the Advanced Encryption Standard (AES). To
evaluate the finalists’ suitability as random number generators, empirical statistical testing is commonly employed.
Although it widely believed that these five algorithms are indeed random, randomness testing was conducted to show that
there is empirical evidence supporting this belief. In this paper, NIST reports on the studies that were conducted on the
finalists for the 192-bit key size and 256-bit key size. The results to date suggest that all five of the finalists appear to be
random.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6483
Final NISTIR 6529-A 4/5/2004 Common Biometric Exchange Formats Framework (CBEFF)
Topic Biometrics
Keyword biometrics; biometric data format; biometric data elements; biometric data exchange; biometric technologies; data
interchange; interoperability, nested structure.
Family
Abstract The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric
technologies in a common way. These data elements can be placed in a single file used to exchange biometric information between
different system components or between systems. The result promotes interoperability of biometric-based application programs and
systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version
of the original CBEFF, the Common Biometric Exchange File Format, published as NISTIR 6529. In addition to the name change, which
reflects more accurately the scope of the specification, NISTIR 6529-A incorporates new features such as a CBEFF nested structure in
order to support multiple biometric data types (e.g., finger, face and voice) and/or multiple biometric data blocks of the same biometric
type (e.g., finger biometric data blocks from more than one finger) within a CBEFF data structure, a Biometric Feature to further define
the type of biometric data being placed in the file, a Validity Period for that data, an expanded definition of the Creator field which now
specifies a Product Identifier, and Index Field associated with a specific instance of biometric reference data, a Challenge-Response
field and a Payload field. NISTIR 6529-A also defines two new CBEFF Formats, biometric data objects for use within smart cards and
other tokens and a simple root header for use in domains where more than one Patron Format, simple or nested, may be encountered.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6529-A
Final NISTIR 6887 2003 Edition7/16/2003 Government Smart Card Interoperability Specification, Version 2.1
Topic Biometrics; Planning; Services & Acquisitions; Smart Cards
Keyword government smart card program; smart access common identification card contract; smart card; smart card interoperability
Family
Abstract This Government Smart Card Interoperability Specification (GSC-IS) provides solutions to a number of the interoperability
challenges associated with smart card technology. The original version of the GSC-IS (version 1.0, August 2000) was
developed by the GSC Interoperability Committee led by the General Services Administration (GSA) and the National
Institute of Standards and Technology (NIST), in association with the GSA Smart Access Common Identification Card
contract.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6887
Final NISTIR 6981 4/1/2003 Policy Expression and Enforcement for Handheld Devices
Topic Audit & Accountability; Incident Response; Planning; Risk Assessment
Keyword digital certificates; handheld devices; PDA; Personal Digital Assistant; security policy; trust management
Family
Page 79 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 6981 4/1/2003 The use of mobile handheld devices, such as Personal Digital Assistants (PDAs) and tablet computers, within the
workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters,
but instead have become indispensable tools that offer competitive business advantages for the mobile workforce. While
providing productivity benefits, the ability of these devices to store and transmit corporate information through both wired
and wireless networks poses potential risks to an organization’s security. This paper describes a framework for managing
user privileges on handheld devices. The approach is aimed at assisting enterprise security officers in administering and
enforcing group and individual security policies for PDAs, and helping constrain users to comply automatically with their
organization’s security policy. Details of a proof-of-concept implementation of the framework are also provided.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6981
Final NISTIR 6985 4/1/2003 COTS Security Protection Profile - Operating Systems (CSPP-OS) (Worked Example Applying Guidance of NISTIR-6462,
CSPP) Version 1.0
Topic Maintenance; Planning
Keyword Commercial Off-The-Shelf products; Common Criteria; COTS; operating systems; Protection Profile
Family
Abstract CSPP-OS provides a worked example of the guidance in NISTIR-6462 for the development of Common Criteria Protection
Profiles for commercial off the shelf (COTS) information technology. The intended audience consists of those individuals
and organizations in both government and private sectors who are tasked with the responsibility to develop or review
Protection Profiles. This document is presented as a protection profile, followed by a rationale that is structured as a
separate document. This format was selected to facilitate using this guidance as a template for the development of
Protection Profiles.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6985
Final NISTIR 7007 7/11/2003 An Overview of Issues in Testing Intrusion Detection Systems
Topic Research
Keyword IDS performance measurement methodology, intrusion detection system (IDS), quantitative testing of IDSs
Family
Abstract While intrusion detection systems are becoming ubiquitous defenses in today's networks, currently we have no
comprehensive and scientifically rigorous methodology to test the effectiveness of these systems. This paper explores the
types of performance measurements that are desired and that have been used in the past. We review many past
evaluations that have been designed to assess these metrics. We also discuss the hurdles that have blocked successful
measurements in this area and present suggestions for research directed toward improving our measurement capabilities.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7007
Final NISTIR 7030 7/1/2003 Picture Password: A Visual Login Technique for Mobile Devices
Topic Authentication
Keyword authentication; handheld devices; mobile devices; PDA; Personal Digital Assistant; visual login
Family
Page 80 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7030 7/1/2003 Adequate user authentication is a persistent problem, particularly with handheld devices, which tend to be highly personal
and at the fringes of an organization's influence. Yet, these devices are being used increasingly in corporate settings
where they pose a security risk, not only by containing sensitive information, but also by providing the means to access
such information over wireless network interfaces. User authentication is the first line of defense against a lost or stolen
PDA. However, motivating users to enable simple PIN or password mechanisms and periodically update their
authentication information is a constant struggle. This paper describes a means to authenticate a user to a PDA using a
visual login technique called Picture Password. The underlying rationale is that a method for login based on visual image
selection is an easy and natural way for users to authenticate, removing the most serious barriers to users' compliance
with corporate policy. While the technique was designed specifically for handheld devices, it is also suitable for
notebooks, workstations, and other computational devices.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7030
Final NISTIR 7046 8/1/2003 A Framework for Multi-mode Authentication: Overview and Implementation Guide
Topic Authentication; Communications & Wireless; Cryptography
Keyword authentication; MAF; mobile devices; Multi-mode Authentication Framework; PDA; Personal Digital Assistant; security
policy
Family
Abstract The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as
coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive
business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks
to an organization's security. Enabling adequate user authentication is the first line of defense against unauthorized use of
a lost or stolen handheld device. Multiple modes of authentication increase the work factor needed to attack a device,
however, few devices support more than one mode, usually password-based authentication. This report describes a
general Multi-mode Authentication Framework (MAF) for applying organizational security policies, organized into distinct
policy contexts known as echelons, among which a user may transition. The approach is aimed at helping users easily
comply with their organization's security policy, yet be able to exercise a significant amount of flexibility and discretion.
The design of the framework allows various types of authentication technologies to be incorporated readily and provides a
simple interface for supporting different types policy enforcement mechanisms. Details of the implementation of the
framework are provided, as well as two example authentications mechanisms.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7046
Final NISTIR 7056 3/1/2004 Card Technology Developments and Gap Analysis Interagency Report
Topic Biometrics; Research; Smart Cards
Keyword access cards; identification cards; smart cards; storage cards
Family
Abstract This Card Technology Developments and Gap Analysis Interagency Report (IR) provides information regarding current
technical capabilities and limitations of storage and processor cards, current user requirements for individual and
integrated technologies, and major impediments to technology exploitation. The report also identifies existing standards
governing card technologies.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7056
Final NISTIR 7100 8/1/2004 PDA Forensic Tools: an Overview and Analysis
Page 81 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Topic Final NISTIR 7100 8/1/2004 Forensics; Incident Response; Services & Acquisitions
Keyword computer forensics; forensic software; forensic toolkits; PDA; Personal Digital Assistant
Family
Abstract Adequate user authentication is a persistent problem, particularly with mobile devices such as Personal Digital Assistants
(PDAs), which tend to be highly personal and at the fringes of an organization's influence. Yet these devices are being
used increasingly in military and government agencies, hospitals, and other business settings, where they pose a risk to
security and privacy, not only from sensitive information they may contain, but also from the means they typically offer to
access such information over wireless networks. User authentication is the first line of defense for a mobile device that
falls into the hands of an unauthorized individual. However, motivating users to enable simple PIN or password
mechanisms and periodically update their authentication information is difficult at best. This paper describes a general-
purpose mechanism for authenticating users through image selection. The underlying rationale is that image recall is an
easy and natural way for users to authenticate, removing a serious barrier to users' compliance with corporate policy. The
approach described distinguishes itself from other attempts in this area in several ways, including style-dependent image
selection, password reuse, and embedded salting, which collectively overcome a number of problems in employing
knowledge-based authentication on mobile devices.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7100
Final NISTIR 7111 4/30/2004 Computer Security Division 2003 Annual Report
Topic Annual Reports
Keyword computer security; computer security awareness;computer security division; computer security guidance; computer
security research; cryptographic standards; cyber security; FISMA; IT security; security testing and metrics
Family
Abstract This report covers the work conducted within the National Institute of Standards and Technology's Computer Security
Division during the Fiscal Year 2003. It discusses all projects and programs within the Division, staff highlights, and
publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the
Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information
technology (IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of
information technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the
Federal Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of
2002. Beyond the role to serve the Federal Agencies under FISMA, CSD standards and guidelines are often voluntarily
used by U.S. industry, global industry, and foreign governments as sources of information and direction for securing
information systems. CSD's research also contributes to securing the Nation's critical infrastructure systems. Moreover,
the Division has an active role in both national and international standards organizations in promoting the interests of
security and U.S. industry.
Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the
Previous Year
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7111
Final NISTIR 7200 6/1/2005 Proximity Beacons and Mobile Device Authentication: an Overview and Implementation
Topic Authentication; Research
Keyword authentication; Bluetooth; mobile devices; MAF; Multi-mode Authentication Framework; organizational beacon; PAN;
Personal Area Network; personal beacon; proximity beacon
Family
Page 82 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7200 6/1/2005 The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as
coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive
business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks
to an organization's security by the information they contain or can access remotely. Enabling adequate user
authentication is the first line of defense against unauthorized use of an unattended, lost, or stolen handheld device. This
report describes an innovative type of authentication mechanism that relies on the presence of a signal from a wireless
beacon for access to be granted. Such proximity beacons can be either organizational or personal oriented, and require
only that handheld devices support a common standard wireless interface for Personal Area Network (PAN)
communications, such as Bluetooth. Details of the design and implementation for both personal and organizational
proximity beacons are provided.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7200
Final NISTIR 7206 7/1/2005 Smart Cards and Mobile Device Authentication: an Overview and Implementation
Topic Authentication; Biometrics; Communications & Wireless; Cryptography; Smart Cards
Keyword authentication; Bluetooth; mobile devices; MAF; Multi-mode Authentication Framework; smart cards; Smart Multi-Media
Card; SMMC
Family
Abstract The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as
coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive
business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks
to an organization's security by the information they contain or can access remotely. Enabling adequate user
authentication is the first line of defense against unauthorized use of an unattended, lost, or stolen handheld device.
Smart cards have long been the choice of authentication mechanism for many organizations; however, few handheld
devices easily support readers for standard-size smart cards. This report describes two novel types of smart cards that
use standard interfaces supported by handheld devices, avoiding use of the more cumbersome standard-size smart card
readers. These solutions are aimed at helping organization apply smart cards for authentication and other security
services. Details of the design and implementation are provided.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7206
Final NISTIR 7219 4/15/2005 Computer Security Division 2004 Annual Report
Topic Annual Reports
Keyword computer security; computer security awareness;computer security division; computer security guidance; computer
security research; cryptographic standards; cyber security; FISMA; IT security; security testing and metrics
Family
Page 83 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7219 4/15/2005 This report covers the work conducted within the National Institute of Standards and Technology's Computer Security
Division during Fiscal Year 2004. It discusses all projects and programs within the Division, staff highlights, and
publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the
Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information
technology, initially focused principally on mainframe computers, to now encompass today's wide gamut of information
technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the Federal
Information Security Management Act of 2002 (FIMSA) and the Cyber Security Research and Development Act of 2002.
Beyond the role to serve the Federal agencies under FISMA, CSD standards and guidelines are often voluntarily used by
U.S. industry, global industry, and foreign governments as sources of information and direction for securing information
systems. CSD's research also contributes to securing the nation s critical infrastructure systems. Moreover, the Division
has an active role in both national and international standards organizations in promoting the interests of security and U.S.
industry.
Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the
Previous Year
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7219
Final NISTIR 7224 8/1/2005 4th Annual PKI R&D Workshop "Multiple Paths to Trust" Proceedings
Topic Conferences & Workshops; PKI; Research
Keyword authentication; Certificate Authority (CA); interoperability; Public Key Cryptography (PKC); Public Key Infrastructure (PKI);
security; signatures; trust mechanisms; validation
Family
Abstract NIST hosted the fourth annual Public Key Infrastructure (PKI) Research Workshop on April 19-21, 2005. The two and a
half day event brought together PKI experts from academia, industry, and government to explore the remaining challenges
in deploying public key authentication and authorization technologies. This proceedings includes the 17 refereed papers,
and captures the essence of the six panels and interaction at the workshop. The workshop also included a work-in-
progress session and a birds-of-a-feather session during the evenings at the workshop hotel. Attendees included
presenters from the United Kingdom, Canada, New Zealand, and Japan. Due to the success of this event, a fifth workshop
is planned for April 4-6, 2006.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7224
Final NISTIR 7250 10/19/2005 Cell Phone Forensic Tools: an Overview and Analysis
Topic Forensics; Incident Response; Services & Acquisitions
Keyword cell phone forensics; cell phones; computer forensics; mobile devices
Family
Page 84 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7250 10/19/2005 Cell phones and other handheld devices incorporating cell phone capabilities (e.g., Personal Digital Assistant (PDA) phones) are
ubiquitous. Rather than just placing calls, certain phones allow users to perform additional tasks such as SMS (Short Message Service)
messaging, Multi-Media Messaging Service (MMS) messaging, IM (Instant Messaging), electronic mail, Web browsing, and basic PIM
(Personal Information Management) applications (e.g., phone and date book). PDA phones, often referred to as smart phones, provide
users with the combined capabilities of both a cell phone and a PDA. In addition to network services and basic PIM applications, one
can manage more extensive appointment and contact information, review electronic documents, give a presentation, and perform other
tasks.
All but the most basic phones provide individuals with some ability to load additional applications, store and process personal and
sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As
digital technology evolves, the capabilities of these devices continue to improve rapidly. When cell phones or other cellular devices are
involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of
information present on the device. This report gives an overview of current forensic software, designed for acquisition, examination, and
reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7250
Final NISTIR 7275 Rev. 31/1/2008 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4
Topic Audit & Accountability; Maintenance; Security Automation
Keyword benchmarks; checklists; eXtensible Configuration Checklist Description Format; FISMA; security controls; vulnerabilities;
XCCDF
Family Audit & Accountability; Configuration Management; Maintenance
Abstract This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible
Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of
security configuration rules for some set of target systems. The XCCDF specification is designed to support information
interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance
scoring. The specification also defines a data model and format for storing results of security guidance or checklist
compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other
configuration guidance, and thereby foster more widespread application of good security practices.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-Rev.%203
7275 Rev. 49/30/2011 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2
Topic Audit & Accountability; Maintenance; Security Automation
Keyword benchmarks; checklists; eXtensible Configuration Checklist Description Format; FISMA; security controls; vulnerabilities;
XCCDF
Family Audit & Accountability; Configuration Management; Maintenance
Abstract This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible
Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of
security configuration rules for some set of target systems. The XCCDF specification is designed to support information
interchange, document generation, organizational and situational tailoring, automated compliance testing, and scoring.
The specification also defines a data model and format for storing results of security guidance or checklist testing. The
intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance,
and thereby foster more widespread application of good security practices.
Legal
Page 85 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Link Final NISTIR 7275 Rev. 49/30/2011 http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-Rev.%204
Final NISTIR 7284 1/6/2006 Personal Identity Verification Card Management Report
Topic Audit & Accountability; Awareness & Training; Biometrics; Maintenance; Personal Identity Verification (PIV); Planning;
Services & Acquisitions; Smart Cards
Keyword authentication; card management systems; Homeland Security Presidential Directive 12; Personal Identity Verification;
PIV; smart cards
Family
Abstract NIST Special Publication 800-73 (http://piv.nist.gov) provides technical specifications for Personal Identity Verification
(PIV) cards. However, it does not contain a complete card management specification for PIV systems. This Report
provides an overview of card management systems, identifies generic card management requirements, and considers
some technical approaches to filling the existing gaps in PIV card management. The primary guiding principle in selecting
technical approaches for consideration is that they require no changes to the existing PIV specifications.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7284
Final NISTIR 7285 2/1/2006 Computer Security Division 2005 Annual Report
Topic Annual Reports
Keyword annual report; computer security; computer security awareness; Computer Security Division; computer security guidance;
computer security research; cryptographic standards; cyber security; IT security; security testing and metrics
Family
Abstract This report covers the work conducted within the National Institute of Standards and Technology's Computer Security
Division during the Fiscal Year 2005. It discusses all projects and programs within the Division, staff highlights, and
publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the
Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology
(IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of information
technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the Federal
Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of 2002.
Beyond the role to serve the Federal Agencies under FISMA, CSD standards and guidelines are often voluntarily used by
U.S. industry, global industry, and foreign governments as sources of information and direction for securing information
systems. CSD's research also contributes to securing the nation?s critical infrastructure systems. Moreover, the Division
has an active role in both national and international standards organizations in promoting the interests of security and U.S.
industry.
Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the
Previous Year
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7285
Final NISTIR 7290 3/1/2006 Fingerprint Identification and Mobile Handheld Devices: An Overview and Implementation
Topic Authentication; Biometrics
Keyword authentication; biometrics; fingerprint identification; mobile devices
Family
Page 86 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7290 3/1/2006 The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as
coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive
business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks
to an organization’s security by the information they contain or can access remotely.
Enabling adequate user authentication is the first line of defense against unauthorized use of an unattended, lost, or
stolen handheld device. This report describes using fingerprint identification on handheld devices. Two types of solutions
are described: one that uses the computational capabilities of the handheld device to authenticate a user’s fingerprints,
the other that uses the computational capabilities of a specialized processor to offload processing by the handheld device.
Details of the design and implementation of both solutions are provided.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7290
Final NISTIR 7298 Rev. 25/31/2013 Glossary of Key Information Security Terms
Topic General IT Security
Keyword Cyber Security; Definitions; Glossary; Information Assurance; Information Security; Terms
Family
Abstract The National Institute of Standards and Technology (NIST) has received numerous requests to provide a summary
glossary for our publications and other relevant sources, and to make the glossary available to practitioners. As a result of
these requests, this glossary of common security terms has been extracted from NIST Federal Information Processing
Standards (FIPS), the Special Publication (SP) 800 series, NIST Interagency Reports (NISTIRs), and from the Committee
for National Security Systems Instruction 4009 (CNSSI-4009). This glossary includes most of the terms in the NIST
publications. It also contains nearly all of the terms and definitions from CNSSI-4009. This glossary provides a central
resource of terms and definitions most commonly used in NIST information security publications and in CNSS information
assurance publications. For a given term, we do not include all definitions in NIST documents – especially not from the
older NIST publications. Since draft documents are not stable, we do not refer to terms/definitions in them.
Each entry in the glossary points to one or more source NIST publications, and/or CNSSI-4009, and/or supplemental
sources where appropriate. The NIST publications referenced are the most recent versions of those publications (as of the
date of this document).
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7298
Final NISTIR 7313 7/18/2006 5th Annual PKI R&D Workshop "Making PKI Easy to Use" Proceedings
Topic Conferences & Workshops; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart
Cards
Keyword authentication; Certificate Authority (CA); interoperability; Public Key Cryptography (PKC); Public Key Infrastructure (PKI);
security; signatures; validation
Family Access Control; Identification & Authentication; System & Services Acquisition
Page 87 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7313 7/18/2006 NIST hosted the fifth annual Public Key Infrastructure (PKI) Research Workshop on April 4-6, 2006. The two and a half
day event brought together PKI experts from academia, industry, and government to explore the remaining challenges in
deploying public key authentication and authorization technologies. This proceedings includes the 7 refereed papers, and
captures the essence of the keynote, four invited talks, five panels and interaction at the workshop. The workshop also
included a work-in-progress session and, new this year, an informal rump session. Attendees included presenters from
the USA, United Kingdom, Israel, Australia, Norway, Sweden, Germany and Canada. Due to the success of this event, a
sixth workshop is planned for Spring 2007.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7313
Final NISTIR 7316 9/29/2006 Assessment of Access Control Systems
Topic Audit & Accountability; Planning; Risk Assessment
Keyword access control; authentication; authorization; Discretionary Access Control; Non-Discretionary Access Control; RBAC;
Role-Based Access Control; Rule-Based Access Control; security metrics; XML-Based Access Control
Family
Abstract Access control is perhaps the most basic aspect of computer security. Nearly all applications that deal with financial,
privacy, safety, or defense include some form of access control. In many systems access control takes the form of a
simple password mechanism, but many require more sophisticated and complex control. In addition to the authentication
mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases,
authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various
documents and the security level of the user accessing those documents. This publication explains some of the most
commonly used access control services available in information technology systems, their structure, where they are likely
to be used, and advantages and disadvantages of each.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7316
DRAFT NISTIR 7328 9/29/2007 Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment
Credentialing Program for Federal Information Systems
Topic Certification & Accreditation (C&A)
Keyword
Family Certification, Accreditation & Security Assessments
Page 88 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract DRAFT NISTIR 7328 9/29/2007 This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability
to conduct information system security control assessments in accordance with NIST standards and guidelines. This
report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which
security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is
to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe
important for security assessment providers to demonstrate competence for a credentialing program. Based on comments
received NIST will update and republish this report and use it as reference in further development of a credentialing
program for security assessment providers. Security assessments involve the comprehensive assessment of the
management, operational, and technical security controls in federal information systems to determine the extent to which
the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting
the security requirements for the system.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7328
Final NISTIR 7337 8/31/2006 Personal Identity Verification Demonstration Summary
Topic Personal Identity Verification (PIV)
Keyword CRADA; Cooperative Research and Development Agreement; demonstration project; FIPS 201; Personal Identity
Verification; PIV
Family
Abstract This paper provides a summary of the NIST Personal Identity Verification (PIV) Demonstration. The PIV Demonstration
took place from May 15 to June 14, 2006. Forty-four companies voluntarily participated through a Cooperative Research
and Development Agreement (CRADA). The purpose of the demonstration was to show proof of concept and
interoperability demonstrations of commercially available products that support FIPS 201 and the accompanying Special
Publications. The results are summarized by product category.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7337
Final NISTIR 7358 1/1/2007 Program Review for Information Security Management Assistance (PRISMA)
Topic Audit & Accountability; General IT Security; Planning
Keyword action plan; evaluation; inspections; maturity level; PRISMA; security issues; security reviews
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Planning
Page 89 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7358 1/1/2007 Several sources of guidance, policies, standards and legislative acts provide many requirements for the federal agencies
when protecting entrusted information. Various assessments, reviews, and inspections are an outcome of these
information security requirements to monitor federal agency compliance. The manner in which these monitoring
approaches are implemented may be very different, impacting agency resource constraints. The Federal Information
Security Management Act (FISMA) of 2002 charged NIST to provide technical assistance to agencies regarding
compliance with the standards and guidelines developed for securing information systems, as well as information security
policies, procedures, and practices. This Interagency Report provides an overview of the NIST Program Review for
Information Security Management Assistance (PRISMA) methodology. PRISMA is a tool developed and implemented by
NIST for reviewing the complex information security requirements and posture of a federal program or agency. This report
is provided as a framework for instructional purposes as well as to assist information security personnel, internal
reviewers, auditors, and agency Inspector General (IG) staff personnel.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7358
Final NISTIR 7359 1/1/2007 Information Security Guide for Government Executives
Topic Awareness & Training; General IT Security; Planning
Keyword information security; information security program elements; security laws; security program; security regulations and
standards
Family Awareness & Training; Planning
Abstract Information Security Guide for Government Executives provides a broad overview of information security program concepts to assist
senior leaders in understanding how to oversee and support the development and implementation of information security programs.
Management is responsible for: (1) Establishing the organization's information security program; (2) Setting program goals and priorities
that support the mission of the organization; and (3) Making sure resources are available to support the security program and make it
successful. Senior leadership commitment to security is more important now than ever before. Studies have shown that senior
management's commitment to information security initiatives is the number one critical element that impacts an information security
program's success. Meeting this need necessitates senior leadership to focus on effective information security governance and support
which requires integration of security into the strategic and daily operations of an organization. When considering this challenge, five key
security questions emerge for the executive: (1) What are the information security laws, regulations, standards, and guidance that I need
to understand to build an effective security program? (2) What are the key activities to build an effective security program? (3) Why do I
need to invest in security? (4) Where do I need to focus my attention in accomplishing critical security goals? (5) Where can I learn more
to assist me in evaluating the effectiveness of my security program? This guide provides the answers to those questions.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7359
Final NISTIR 7387 3/21/2007 Cell Phone Forensic Tools: an Overview and Analysis Update
Topic Communications & Wireless; Forensics; Incident Response; Research; Services & Acquisitions
Keyword cell phones; computer forensics; handheld devices; mobile devices
Family Incident Response; Planning; System & Services Acquisition
Page 90 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7387 3/21/2007 Cell phones and other handheld devices incorporating cell phone capabilities (e.g., Personal Digital Assistant (PDA) phones) are
ubiquitous. Rather than just placing calls, most phones allow users to perform additional tasks, including Short Message Service (SMS)
messaging, Multi-Media Messaging Service (MMS) messaging, Instant Messaging (IM), electronic mail, Web browsing, and basic
Personal Information Management (PIM) applications (e.g., phone and date book). PDA phones, often referred to as smart phones,
provide users with the combined capabilities of both a cell phone and a PDA. In addition to network services and basic PIM applications,
one can manage more extensive appointment and contact information, review electronic documents, give a presentation, and perform
other tasks.
All but the most basic phones provide individuals with some ability to load additional applications, store and process personal and
sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As
digital technology evolves, the existing capabilities of these devices continue to improve rapidly. When cell phones or other cellular
devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination
of information present on the device. This report provides an overview on current tools designed for acquisition, examination, and
reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations. It is a follow-on to
NISTIR 7250, "Cell Phone Forensic Tools: an Overview and Analysis", which focuses on tools that have undergone significant updates
since that publication or were not covered previously.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7387
Final NISTIR 7399 3/21/2007 Computer Security Division 2006 Annual Report
Topic Annual Reports
Keyword annual report; computer security; computer security awareness; Computer Security Division; computer security guidance;
computer security research; cryptographic standards; cyber security; IT security; security testing and metrics
Family
Abstract This report covers the work conducted within the National Institute of Standards and Technology's Computer Security
Division during the Fiscal Year 2006. It discusses all projects and programs within the Division, staff highlights, and
publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the
Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology
(IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of information
technology devices. CSD?s important responsibilities were re-affirmed by Congress with passage of the Federal
Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of 2002.
Beyond the role to serve the Federal agencies under FISMA, CSD standards and guidelines are often voluntarily used by
U.S. industry, global industry, and foreign governments as sources of information and direction for securing information
systems. CSD's research also contributes to securing the Nation's critical infrastructure systems. Moreover, CSD has an
active role in both national and international standards organizations in promoting the interests of security and U.S.
industry.
Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the
Previous Year
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7399
Final NISTIR 7427 9/13/2007 6th Annual PKI R&D Workshop "Applications-Driven PKI" Proceedings
Topic Conferences & Workshops; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart
Cards
Keyword authentication; Certificate Authority (CA); interoperability; Public Key Cryptography (PKC); Public Key Infrastructure (PKI);
security; signatures; validation
Family
Page 91 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7427 9/13/2007 NIST hosted the sixth Annual Public Key Infrastructure (PKI) Research Workshop on April 17-19, 2007. The two and a
half day event brought together PKI experts from academia, industry, and government had a particular interest in novel
approaches to simplifying the use and management of X.509 digital certificates, both within and across enterprises. This
proceedings includes the 9 refereed papers, and captures the essence of the keynote, four panels and interaction at the
workshop. The workshop also included a birds-of-a-feather session and an informal rump session. Attendees included
presenters from the USA, Canada, Brazil, Czech Republic, Israel, Japan, Singapore, Uganda, UK, and Japan. Due to the
success of this event, a seventh workshop is planned for Spring 2008.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7427
Final NISTIR 7435 8/30/2007 The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems
Topic General IT Security; Security Automation; Viruses & Malware
Keyword Common Vulnerability Scoring System; CVSS; National Vulnerability Database; NVD; security metrics; vulnerability
scoring
Family Configuration Management
Abstract The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics
and impacts of IT vulnerabilities. The National Vulnerability Database (NVD) provides specific CVSS scores for virtually all
publicly known vulnerabilities. Federal agencies can use the Federal Information Processing Standards (FIPS) 199
security categories with the NVD CVSS scores to obtain impact scores that are tailored to each agency's environment.
CVSS consists of three groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from
0.0 to 10.0, and a vector, a compressed textual representation that reflects the values used to derive the score. The Base
group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability
that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any
user's environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and
researchers to all benefit by adopting this common language of scoring IT vulnerabilities.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7435
Final NISTIR 7442 4/1/2008 Computer Security Division 2007 Annual Report
Topic Annual Reports
Keyword annual report; Computer Security Division; projects; highlights
Family
Page 92 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7442 4/1/2008 Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002,
requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming
year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a
component of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects
information systems against threats to the confidentiality, integrity, and availability of information and services. During
Fiscal Year 2007 (FY 2007), CSD successfully responded to numerous challenges and opportunities in fulfilling that
mission. Through CSD s diverse research agenda and engagement in many national priority initiatives, high-quality, cost-
effective security and privacy mechanisms were developed and applied that improved information security across the
federal government and the greater information security community. This annual report highlights the research agenda
and activities in which CSD was engaged during FY 2007.
Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the
Previous Year
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7442
Final NISTIR 7452 11/30/2007 Secure Biometric Match-on-Card Feasibility Report
Topic Authentication; Biometrics; Communications & Wireless; Cryptography; Personal Identity Verification (PIV); PKI; Smart
Cards
Keyword biometrics; feasibility study; FIPS 201; Match-on-Card; Personal Identity Verification; PIV
Family Access Control; System & Information Integrity
Abstract FIPS 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors," and its associated special
publications define a method to perform biometric match-off-card authentication of a PIV cardholder when the PIV card is
inserted into a contact smart card reader. Today, many smart cards, however, implement match-on-card technologies and
are desiged to perform cardholder authentication using contactless interface. Contactless match-on-card operation
requires additional security measures to ensure the transaction data is encrypted and can be securely transmitted, which
can impact performance. NIST conducted the Secure Biometric Match-on-Card (SBMOC) feasibility study to understand
the effects of security on performance. This report describes the tests that were conducted to obtain timing metrics for the
SBMOC feasibility study and provides a summary of the test results.
This feasibility study also allows NIST to explore smart card technology advancements for possible extension of the FIPS
201 and / or other smart card standards.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7452
Final NISTIR 7497 9/30/2010 Security Architecture Design Process for Health Information Exchanges (HIEs)
Topic Planning; Research; Risk Assessment; Services & Acquisitions
Keyword Health Information Exchange; health IT; HIE; information security
Family Access Control; Planning; Risk Assessment; System & Services Acquisition
Page 93 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7497 9/30/2010 The purpose of this publication is to provide a systematic approach to designing a technical security architecture for the
exchange of health information that leverages common government and commercial practices and that demonstrates how
these practices can be applied to the development of HIEs. This publication assists organizations in ensuring that data
protection is adequately addressed throughout the system development life cycle, and that these data protection
mechanisms are applied when the organization develops technologies that enable the exchange of health information.
Legal Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7497
Final NISTIR 7502 12/27/2010 The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities
Topic Risk Assessment; Security Automation
Keyword security configuration; security measurement; vulnerability measurement; vulnerability scoring
Family Configuration Management; Risk Assessment
Abstract The Common Configuration Scoring System (CCSS) is a set of measures of the severity of software security configuration
issues. CCSS is derived from the Common Vulnerability Scoring System (CVSS), which was developed to measure the
severity of vulnerabilities due to software flaws. CCSS can assist organizations in making sound decisions as to how
security configuration issues should be addressed and can provide data to be used in quantitative assessments of the
overall security posture of a system. This report defines proposed measures for CCSS and equations to be used to
combine the measures into severity scores for each configuration issue. The report also provides several examples of
how CCSS measures and scores would be determined for a diverse set of security configuration issues.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7502
Final NISTIR 7511 Rev. 37/11/2013 Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements
Topic Certification & Accreditation (C&A); Security Automation
Keyword Security Content Automation Protocol (SCAP); SCAP derived test requirements (DTR); SCAP validated tools; SCAP
validation
Family Certification, Accreditation & Security Assessments; System & Services Acquisition
Abstract This report defines the requirements and associated test procedures necessary for products to achieve one or more
Security Content Automation Protocol (SCAP) validations. Validation is awarded based on a defined set of SCAP
capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary
Laboratory Accreditation Program (NVLAP).
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7511-Rev.%203
Final NISTIR 7516 8/27/2008 Forensic Filtering of Cell Phone Protocols
Topic Forensics; Research
Keyword cell phones; computer forensics; phone managers; protocol filters
Page 94 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Family Final NISTIR 7516 8/27/2008 Audit & Accountability
Abstract Phone managers are non-forensic software tools designed to carry out a range of tasks for the user, such as reading and
updating the contents of a phone, using one or more of the communications protocols supported by the phone. Phone
managers are sometimes used by forensic investigators to recover data from a cell phone when no suitable forensic tool
is available. While precautions can be taken to preserve the integrity of data on a cell phone, inherent risks exist. Applying
a forensic filter to phone manager protocol exchanges with a device is proposed as a means to reduce risk.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7516
Final NISTIR 7536 3/16/2009 Computer Security Division 2008 Annual Report
Topic Annual Reports
Keyword annual report; Computer Security Division; projects; highlights
Family
Abstract This annual report covers the work conducted within the National Institute of Standards and Technology's Computer
Security Division during Fiscal Year 2008. It discusses all projects and programs within the Division, staff highlights, and
publications.
Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the
Previous Year
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7536
Final NISTIR 7539 12/22/2008 Symmetric Key Injection onto Smart Cards
Topic Cryptography; Smart Cards
Keyword card authentication key; cryptographic key management; FIPS 201; HSPD-12; PACS; Personal Identity Verification;
Physcial Access Control Systems; PIV; smart cards
Family Identification & Authentication
Abstract This paper describes architectures for securely injecting secret keys onto smart cards. Specifically, this paper details key
injection architectures based on the identity credentials available on the Personal Identify Verification (PIV) Card. The
primary goal is to create additional opportunities for the use of the PIV Card in Physical Access Control Systems (PACS).
There is significant interest in conducting a fast, accurate, and highly secured authentication transaction using symmetric
keys in PACS environments. This paper identifies ways to load site specific symmetric keys onto a PIV Card after the
card has been issued, which allows each smart card to share a unique secret key with each PACS with which it interacts.
The paper presents four protocols that enable a Card Management System (CMS) to securely load site-specific PACS
symmetric keys. Each protocol presents unique security characteristics and uses the PIV Card's card management key in
different capacities.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7539
Final NISTIR 7559 6/30/2010 Forensics Web Services (FWS)
Topic Forensics; General IT Security; Research
Keyword accountable services; digital forensics; services oriented architecture; web services
Family
Page 95 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7559 6/30/2010 Web services are currently a preferred way to architect and provide complex services. This complexity arises due to the
composition of new services and dynamically invoking existing services. These compositions create service inter-
dependencies that can be misused for monetary or other gains. When a misuse is reported, investigators have to navigate
through a collection of logs to recreate the attack. In order to facilitate that task, we propose creating forensics web
services (FWS) that would securely maintain transactional records between other web services. These secure records
can be re-linked to reproduce the transactional history by an independent agency. In this report we show the necessary
components of a forensic framework for web services and its success through a case study.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7559
Final NISTIR 7564 4/30/2009 Directions in Security Metrics Research
Topic General IT Security; Research; Risk Assessment
Keyword computer security; security evaluation; security metrics
Family Risk Assessment
Abstract More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and
understanding in physical science. During the last few decades, researchers have made various attempts to develop
measures and systems of measurement for computer security with varying degrees of success. This paper provides an
overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the
state of the art.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7564
Final NISTIR 7581 9/30/2009 System and Network Security Acronyms and Abbreviations
Topic General IT Security
Keyword network security; system security
Family
Abstract This report contains a list of selected acronyms and abbreviations for system and network security terms with their
generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system
and network security publications.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7581
Final NISTIR 7601 8/31/2010 Framework for Emergency Response Official (ERO): Authentication and Authorization Infrastructure
Topic Authentication
Keyword authentication; authorization; emergency response officials; identity and attribute credentials; trusted tokens
Family Identification & Authentication
Page 96 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7601 8/31/2010 This document describe a framework (with the acronym ERO-AA) for establishing an infrastructure for authentication and
authorization of Emergency Response officials (ERO) who respond to various types of man-made and natural disasters.
The population of individuals authenticated and authorized under ERO-AA infrastructure includes Federal Emergency
Response Officials (FEROs), State/Local/Tribal/Private Sector Emergency Response Officials (SLTP-EROs) and the
FEMA Disaster Reserve Workforce (DRW). The system supports the establishment, conveyance and validation of Identity
Credentials (ICs), Attribute Credentials (ATs) and Deployment Authorization Credentials (DAs). Apart from enumeration of
the types of EROs and their associated authority domains (called major players) and types of credentials, the
conceptualization of the framework for ERO-AA infrastructure includes detailed description of various component services
under three major service classes: Credentialing Service Class, Identity Verification and Attribute Validation Service Class
and Trust Federation Service Class.The framework is predicated upon the use of trusted tokens capable of supporting
biometric as well as secret key based identity authentication.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7601
Final NISTIR 7609 1/8/2010 Cryptographic Key Management Workshop Summary June 8-9, 2009
Topic Conferences & Workshops; Cryptography; PKI
Keyword CKM; CKM System Design Framework; cryptographic key management; cryptographic security
Family
Abstract On June 8 and 9, 2009, NIST held a Cryptographic Key Management (CKM) Workshop at its Gaithersburg, Maryland,
campus that attracted approximately 80 people attending the workshop in person, with another 75 participating through
video conferencing, and an additional 36 participating via audio teleconferencing. A total of 36 speakers, including
technical experts, security standards leaders, and experienced managers gave presentations on various aspects of CKM
during the workshop. Two presentations were made remotely via audio teleconferencing facilities. This summary provides
the highlights of workshop presentations organized both by major CKM topics and also by presenter.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7609
Final NISTIR 7611 8/14/2009 Use of ISO/IEC 24727
Topic Authentication; Awareness & Training; Biometrics; Cryptography; Digital Signatures; General IT Security; Personal
Identity Verification (PIV); PKI; Planning; Research
Keyword authentication; HSPD-12; identity credentials; ISO/IEC 24727; Personal Identity Verification; PIV; smart card identity
applications
Family Access Control; Awareness & Training; Identification & Authentication; Planning
Abstract This document describes the use of ISO/IEC 24727 in enabling client-applications to access identity credentials issued by
different credential issuers.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7611
Final NISTIR 7617 10/14/2009 Mobile Forensic Reference Materials: a Methodology and Reification
Topic Communications & Wireless; Forensics; Research
Keyword computer forensics; forensic tool validation; mobile devices
Family
Page 97 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7617 10/14/2009 This report concerns the theoretical and practical issues with automatically populating mobile devices with reference test
data for use as reference materials in validation of forensic tools. It describes an application and data set developed to
populate identity modules and highlights subtleties involved in the process. Intriguing results attained by recent versions of
commonly-used forensic tools when used to recover the populated data are also discussed. The results indicate that
reference materials can be used to identify a variety of inaccuracies that exist in present-day forensic tools.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7617
Final NISTIR 7620 9/1/2009 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition
Topic Cryptography
Keyword cryptographic hash algorithm; cryptographic hash function; cryptography; SHA-3
Family
Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm
through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash
algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were
submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-
Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm
competition. This report describes the evaluation criteria and selection process, based on public feedback and internal
review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving
forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH,
CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7620
Final NISTIR 7621 10/1/2009 Small Business Information Security: the Fundamentals
Topic Awareness & Training; General IT Security; Planning
Keyword information security; small business
Family Access Control; Awareness & Training; Configuration Management; Contingency Planning; Identification & Authentication;
Media Protection; Personnel Security; Physical & Environmental Protection; Planning; System & Communication
Protection; System & Information Integrity; System & Services Acquisition
Page 98 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7621 10/1/2009 For some small businesses, the security of their information, systems, and networks might not be a high priority, but for their customers,
employees, and trading partners it is very important. The term Small Enterprise (or Small Organization) is sometimes used for this same
category of business or organization. A small enterprise/organization may also be a nonprofit organization. The size of a small business
varies by type of business, but typically is a business or organization with up to 500 employees. In the United States, the number of
small businesses totals to over 95% of all businesses. The small business community produces around 50% of our nation s Gross
National Product (GNP) and creates around 50% of all new jobs in our country. Small businesses, therefore, are a very important part of
our nation s economy. They are a significant part of our nation s critical economic and cyber infrastructure. Larger businesses in the
United States have been actively pursuing information security with significant resources including technology, people, and budgets for
some years now. As a result, they have become a much more difficult target for hackers and cyber criminals. Consequently, the hackers
and cyber criminals are now focusing their unwanted attention on less secure small businesses. Therefore, it is important that each
small business appropriately secure their information, systems, and networks. This Interagency Report (IR) will assist small business
management to understand how to provide basic security for their information, systems, and networks.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7621
Final NISTIR 7622 10/16/2012 Notional Supply Chain Risk Management Practices for Federal Information Systems
Topic General IT Security; Services & Acquisitions
Keyword
Family System & Services Acquisition
Abstract This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain
risk to federal information systems. It seeks to equip federal departments and agencies with a notional set of repeatable
and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an
understanding of, and visibility throughout, the supply chain.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7622
Final NISTIR 7628 8/31/2010 Guidelines for Smart Grid Cyber Security
Topic Cyber-Physical Systems & Smart Grid; Risk Assessment
Keyword cyber security; privacy; security requirements; smart grid
Family
Abstract Smart Grid technologies will introduce millions of new intelligent components to the electric grid that communicate in much
more advanced ways (e.g., two-way communications, and wired and wireless communications) than in the past. This
report is for individuals and organizations who will be addressing cyber security for Smart Grid systems. The privacy
recommendations, the security requirements, and the supporting analyses that are included in this report may be used by
strategists, designers, implementers, and operators of the Smart Grid, e.g., utilities, equipment manufacturers, regulators,
as input to their risk assessment process and other tasks in the security lifecycle of a Smart Grid information system. This
report focuses on specifying an analytical framework that may be useful to an organization. It is a baseline, and each
organization must develop its own cyber security strategy for the Smart Grid. The information in this report serves as
guidance to various organizations for assessing risk and selecting appropriate security requirements and privacy
recommendations.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628
DRAFT NISTIR 7628 Rev. 110/25/2013 Guidelines for Smart Grid Cyber Security
Topic Cyber-Physical Systems & Smart Grid; Risk Assessment
Page 99 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword DRAFT NISTIR 7628 Rev. 110/25/2013 advanced metering infrastructure; architecture; cryptography; cybersecurity; electric grid; privacy; security requirements;
smart grid
Family
Abstract This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an analytical framework that organizations
can use to develop effective cybersecurity strategies tailored to their particular combinations of Smart Grid-related
characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders—from
utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use
the methods and supporting information presented in this report as guidance for assessing risk and identifying and
applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively
closed system to a complex, highly interconnected environment. Each organization’s cybersecurity requirements should
evolve as technology advances and as threats to grid security inevitably multiply and diversify.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628r1
Final NISTIR 7653 3/23/2010 Computer Security Division 2009 Annual Report
Topic Annual Reports
Keyword annual report; Computer Security Division; projects; highlights
Family
Abstract This annual report covers the work conducted within the National Institute of Standards and Technology's Computer
Security Division during Fiscal Year 2009. It discusses all projects and programs within the Division, staff highlights, and
publications.
Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the
Previous Year
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7653
Final NISTIR 7657 3/30/2010 A Report on the Privilege (Access) Management Workshop
Topic Conferences & Workshops
Keyword access control; credential; eXtensible Access Control Markup Language; healthcare IT; Health Insurance Portability and
Accountability Act; HIPAA; identity; privilege management; RAdAC; Risk-Adaptable Access Control; XACML
Family
Abstract This document is based on the discussions and conclusions of the Privilege (Access) Management Workshop held on 1-3
September, 2009 at the Gaithersburg, Maryland facilities of the National Institute of Standards and Technology (NIST),
sponsored by NIST and the National Security Agency (NSA). This document includes additional material resulting from in
scope comments made by workshop participants and the public during the review periods for this document. An overview
of the workshop is available in the published proceedings of the workshop.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7657
Final NISTIR 7658 2/24/2010 Guide to SIMfill Use and Development
Topic Forensics; Research
Keyword computer forensics; reference materials; tool validation
Family Incident Response
Page 100 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7658 2/24/2010 SIMfill is a proof-of-concept, open source, application developed by NIST to populate identity modules with test data, as a
way to assess the recovery capability of mobile forensic tools. An initial set of test data is also provided with SIMfill as a
baseline for creating other test cases. This report describes the design and organization of SIMfill in sufficient detail to
allow informed use and experimentation with the software and test data provided, including the option to modify and
extend the program and data provided to meet specific needs.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7658
Final NISTIR 7665 1/1/2010 Proceedings of the Privilege Management Workshop, September 1-3, 2009
Topic Conferences & Workshops
Keyword access control; eXtensible Access Control Markup Language; healthcare IT; Health Insurance Portability and
Accountability Act; HIPAA; privilege management; RAdAC; Risk-Adaptable Access Control; XACML
Family
Abstract Privilege management is large and complex, often the source of heated debate and opinion, and fraught with widely-
understood, yet ill-defined terminology and concepts. The National Institute of Standards and Technology (NIST) and the
National Security Agency (NSA) sponsored the first Privilege Management Workshop at NIST's main campus in
Gaithersburg, Maryland, September 1-3, 2009. The workshop was attended by approximately 120 people representing
Executive branch Federal agencies, the private sector, and academia. The primary goal of this first workshop was to
bring together a wide spectrum of individuals representing differing viewpoints, use cases, and organizational needs with
the intent to reach a common understanding of several facets of this important area. This includes reaching consensus on
the definition of privilege management and other terminology; understanding and analyzing the strengths and weaknesses
of current and proposed access control models; ascertaining the current state of the practice and future research
directions in privilege management; and understanding and articulating the managerial, legal, and policy requirements
associated with privilege management.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7665
DRAFT NISTIR 7669 3/10/2010 Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements
Topic Certification & Accreditation (C&A)
Keyword conformance testing; Open Vulnerability Assessment Language; OVAL; vulernabilities
Family
Abstract describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a
defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST
National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited
laboratories and for vendors interested in receiving OVAL validation for their products.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7669
DRAFT NISTIR 7670 2/10/2011 Proposed Open Specifications for an Enterprise Remediation Automation Framework
Topic Audit & Accountability; General IT Security; Incident Response; Services & Acquisitions
Keyword security automation; Security Content Automation Protocol; SCAP; enterprise security
Family Audit & Accountability; Configuration Management; Incident Response
Page 101 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract DRAFT NISTIR 7670 2/10/2011 The success of SCAP in automated system assessment has fostered research related to the development of similar open
specifications in support of enterprise remediation. Enterprise remediation is focused on delivering capabilities that allow
organizations to identify, describe and implement desired system changes across the enterprise. Remediation actions can
include changes to the configuration of an operating system or application, installation of a software patch, or the
installation or removal of applications and libraries. This report examines technical use cases for enterprise remediation,
identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those
requirements.
This report is a product of ongoing collaboration between the National Institute of Standards and Technology (NIST), the
US Department of Defense, and the MITRE Corporation. Participation from a broader community of interested parties is
actively sought to help define, refine and mature proposed remediation standards.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7670
Final NISTIR 7676 6/18/2010 Maintaining and Using Key History on Personal Identity Verification (PIV) Cards
Topic Cryptography; Personal Identity Verification (PIV); PKI; Smart Cards
Keyword key management; Personal Identity Verification; PIV; smart cards
Family System & Communication Protection
Abstract NIST Special Publication 800-73-3 introduces the ability to store retired Key Management Keys within the Personal
Identity Verification (PIV) Card Application on a PIV Card. This paper complements SP 800-73-3 by providing some of the
rationale for the design of the mechanism for storing retired Key Management Keys on PIV Cards and by providing
suggestions to smart card vendors, PIV Card Issuers, and middleware developers on the use of the Key History
mechanism.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7676
Final NISTIR 7692 4/7/2011 Specification for the Open Checklist Interactive Language (OCIL) Version 2.0
Topic Audit & Accountability; Certification & Accreditation (C&A); Risk Assessment; Security Automation
Keyword assessment; OCIL; Open Checklist Interactive Language; questionnaire; SCAP; security automation; Security Content
Automation Protocol; XML
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Risk Assessment
Page 102 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7692 4/7/2011 This report defines version 2.0 of the Open Checklist Interactive Language (OCIL). The intent of OCIL is to provide a
standardized basis for expressing questionnaires and related information, such as answers to questions and final
questionnaire results, so that the questionnaires can use a standardized, machine-readable approach to interacting with
humans and using information stored during previous data collection efforts. OCIL documents are Extensible Markup
Language (XML) based. This report defines and explains the requirements that IT products and OCIL documents
asserting conformance with the OCIL 2.0 specification must meet.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7692
Final NISTIR 7693 6/17/2011 Specification for Asset Identification 1.1
Topic Audit & Accountability; Security Automation
Keyword asset identification; asset management; IT management
Family Audit & Accountability; Configuration Management
Abstract Asset identification plays an important role in an organization?s ability to quickly correlate different sets of information
about assets. This specification provides the necessary constructs to uniquely identify assets based on known identifiers
and/or known information about the assets. This specification describes the purpose of asset identification, a data model
for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a
number of known use cases for asset identification.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7693
Final NISTIR 7694 6/21/2011 Specification for Asset Reporting Format 1.1
Topic Audit & Accountability; Security Automation
Keyword ARF; Asset Reporting Format; IT management
Family Audit & Accountability; Configuration Management
Abstract This specification describes the Asset Reporting Format (ARF), a data model for expressing the transport format of
information about assets and the relationships between assets and reports. The standardized data model facilitates the
reporting, correlating, and fusing of asset information throughout and between organizations. ARF is vendor and
technology neutral, flexible, and suited for a wide variety of reporting applications. The intent of ARF is to provide a
uniform foundation for the expression of reporting results, fostering more widespread application of sound IT management
practices. ARF can be used for any type of asset, not just IT assets.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7694
Final NISTIR 7695 8/19/2011 Common Platform Enumeration: Naming Specification Version 2.3
Topic Audit & Accountability; Security Automation
Keyword Common Platform Enumeration; CPE; SCAP; security automation
Family Audit & Accountability; Configuration Management
Page 103 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7695 8/19/2011 This report defines the Common Platform Enumeration (CPE) Naming version 2.3 specification. The CPE Naming
specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description
and naming. The CPE Naming specification defines the logical structure of names for IT product classes and the
procedures for binding and unbinding these names to and from machine-readable encodings. This report also defines and
explains the requirements that IT products must meet for conformance with the CPE Naming version 2.3 specification.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7695
Final NISTIR 7696 8/19/2011 Common Platform Enumeration: Name Matching Specification Version 2.3
Topic Audit & Accountability; Security Automation
Keyword Common Platform Enumeration; CPE; SCAP; security automation
Family Audit & Accountability; Configuration Management
Abstract This report defines the Common Platform Enumeration (CPE) Name Matching version 2.3 specification. The CPE Name
Matching specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product
description and naming. The CPE Name Matching specification provides a method for conducting a one-to-one
comparison of a source CPE name to a target CPE name. In addition to defining the specification, this report also defines
and explains the requirements that IT products must meet for conformance with the CPE Name Matching version 2.3
specification.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7696
Final NISTIR 7697 8/19/2011 Common Platform Enumeration: Dictionary Specification Version 2.3
Topic Audit & Accountability; Security Automation
Keyword Common Platform Enumeration; CPE; SCAP; security automation
Family Audit & Accountability; Configuration Management
Abstract This report defines the Common Platform Enumeration (CPE) Dictionary version 2.3 specification. The CPE Dictionary
Specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description
and naming. An individual CPE dictionary is a repository of IT product names, with each name in the repository identifying
a unique class of IT product in the world. This specification defines the semantics of the CPE Dictionary data model and
the rules associated with CPE dictionary creation and management. This report also defines and explains the
requirements that IT products and services, including CPE dictionaries, must meet for conformance with the CPE
Dictionary version 2.3 specification.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7697
Page 104 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final NISTIR 7698 8/19/2011 Common Platform Enumeration: Applicability Language Specification Version 2.3
Topic Audit & Accountability; Security Automation
Keyword Common Platform Enumeration; CPE; SCAP; security automation
Family Audit & Accountability; Configuration Management
Abstract This report defines the Common Platform Enumeration (CPE) Applicability Language version 2.3 specification. The CPE
Applicability Language specification is part of a stack of CPE specifications that support a variety of use cases relating to
IT product description and naming. The CPE Applicability Language data model builds on top of other CPE specifications
to provide the functionality required to allow CPE users to construct complex groupings of CPE names to describe IT
platforms. These groupings are referred to as applicability statements because they are used to designate which platforms
particular guidance, policies, etc. apply to. This report defines the semantics of the CPE Applicability Language data
model and the requirements that IT products and CPE Applicability Language documents must meet for conformance with
the CPE Applicability Language version 2.3 specification.
Legal E-Government Act of 2002/Mandates NIST Development of Security Standards;
Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7698
Final NISTIR 7751 5/31/2011 Computer Security Division 2010 Annual Report
Topic Annual Reports
Keyword annual report, computer security, Computer Security Division, CSD, cyber security, FISMA, highlights, projects
Family
Abstract This annual report covers the work conducted within the National Institute of Standards and Technology's Computer
Security Division during Fiscal Year 2010. It discusses all projects and programs within the Division, staff highlights, and
publications.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7751
DRAFT NISTIR 7756 1/6/2012 CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk
Assessment; Services & Acquisitions
Keyword
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident
Response; Maintenance; Risk Assessment; System & Communication Protection
Abstract [Second Public Draft] This publication presents an enterprise continuous monitoring technical reference architecture that
extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to
facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate
collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and
provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by
leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration
efforts.
Page 105 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Legal DRAFT NISTIR 7756 1/6/2012 Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7756
Final NISTIR 7764 2/23/2011 Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition
Topic Cryptography; Digital Signatures
Keyword cryptographic hash algorithm; cryptographic hash function; cryptographic hash competition; cryptography; SHA-3
competition
Family Configuration Management
Abstract The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007 to develop
a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms currently specified in the Federal
Information Processing Standard (FIPS) 180-3, Secure Hash Standard. The competition was NIST’s response to
advances in the cryptanalysis of hash algorithms.
NIST received sixty-four submissions in October 2008, and selected fifty-one candidate algorithms as the first-round
candidates on December 10, 2008, and fourteen as the second-round candidates on July 24, 2009. One year was
allocated for the public review of the second-round candidates. On December 9, 2010, NIST announced five SHA-3
finalists to advance to the third (and final) round of the competition. This report summarizes the evaluation and selection of
the five finalists – BLAKE, Grøstl, JH, Keccak and Skein.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7764
Final NISTIR 7771 2/28/2011 Conformance Test Architecture for Biometric Data Interchange Formats - Version Beta 2.0
Topic Biometrics; Research
Keyword binary data testing; biometrics; conformance test architecture; conformance testing; data interchange; standard
implementations; test cases
Family
Abstract The success of biometric applications is particularly dependent on the interoperability of biometric systems. Deploying
these systems requires a comprehensive portfolio of biometric standards developed in support of interoperability and data
interchange. A number of these domestic and international standards have been published and others are under
development. The existence of these standards alone is not enough to demonstrate that products meet the technical
requirements specified in the standards. Conformance testing captures the technical description of a specification and
measures whether an implementation faithfully implements the specification. The Computer Security Division of NIST/ITL
supports conformity assessment efforts through active technical participation in the development of conformance testing
methodology standards and the development of associated conformance test architectures (CTA) and test suites (CTS).
This NIST IR discusses the technological characteristics of the recently released CTA Beta 2.0. This architecture supports
CTSs such as the ones designed to test implementations of biometric data interchange data formats. The information
provided includes CTA modules communication methods, key CTA features and high-level sequence diagrams. It also
addresses an introduction to testing binary data, structure testing by groups of fields and a discussion on test cases.
Ongoing work on related tools development is also addressed.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7771
Final NISTIR 7773 11/1/2010 An Application of Combinatorial Methods to Conformance Testing for Document Object Model Events
Topic Research
Page 106 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword Final NISTIR 7773 11/1/2010 combinatorial testing, conformance testing, Document Object Model, DOM, interoperability testing
Family System & Information Integrity
Abstract This report describes the use of combinatorial test methods to reduce the cost of testing for the Document Object Model
Events standard while maintaining an equivalent level of assurance. More than 36,000 tests – all possible combinations of
equivalence class values –were reduced by approximately a factor of 20 with no reduction in error detection effectiveness.
Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7773
Final NISTIR 7788 8/1/2011 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs
Topic Research
Keyword attack detection; attack graphs; computer networks; security risk
Family
Abstract Today’s information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with
devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of
vulnerabilities. To more accurately assess the security of enterprise systems, one must understand how vulnerabilities
can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic
attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are
propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This metric
for risk mitigation analysis is used to maximize the security of enterprise systems. This methodology based on
probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7788
Final NISTIR 7791 6/22/2011 Conformance Test Architecture and Test Suite for ANSI/NIST-ITL 1-2007
Topic Biometrics; Certification & Accreditation (C&A)
Keyword ANSI/NIST–ITL 1-2007; biometrics; conformance test architecture; conformance testing; data interchange; standard
implementations; test assertions
Family
Abstract The Computer Security Division of NIST/ITL supports the development of biometric conformance testing methodology
standards and other conformity assessment efforts through active technical participation in the development of these
standards and the associated conformance test architectures and test suites. The ANSI/NIST-ITL standard "Data Format
for the Interchange of Fingerprint, Facial & Other Biometric Information" is used by law enforcement, intelligence, military,
and homeland security organizations throughout the world. The current version specified in its Traditional Format, is Part
1: ANSI/NIST-ITL 1-2007. Although a revised and augmented version of the standard is under development, the 2007
version is still widely used. The Conformance Test Architecture and Test Suite described in this publication are designed
to test implementations of ANSI/NIST ITL 1-2007. The code (Beta 0.4) is currently designed to support testing of selected
record types of the standard but can be extended to support other record types as required. A high-level overview of the
architecture and test suite as well as software details and the code structure are provided. A quick start user guide and a
comprehensive table of the standard's requirements and the associated implemented conformance test assertions (over
five-hundred and thirty) are included.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7791
DRAFT NISTIR 7799 1/6/2012 Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications
Page 107 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Topic DRAFT NISTIR 7799 1/6/2012 Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk
Assessment; Services & Acquisitions
Keyword continuous monitoring
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident
Response; Maintenance; Risk Assessment; System & Communication Protection
Abstract This publication provides the technical specifications for the continuous monitoring (CM2) reference model presented in NIST IR 7756.
These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking,
propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that
describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications
that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication
paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain
agnostic, which means that they can be used for CM regardless of the data domain that is being monitored. A companion publication,
NIST IR 7800, binds these specifications to specific data domains (e.g., asset, configuration, and vulnerability management). The
specifications provided in this document are detailed enough to enable product instrumentation and development. They are also
detailed enough to enable product testing, validation, procurement, and interoperability. Taken together, the specifications in this
document define an ecosystem where a variety of interoperable products can be composed together to form effective CM solutions. If
properly adopted, these specifications will enable teamwork, orchestration, and coordination among CM products that currently operate
distinctly. For the computer security domain, this will greatly enhance organizational effectiveness and efficiency in addressing known
vulnerabilities and technical policy requirements, and decision making.
Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7799
DRAFT NISTIR 7800 1/20/2012 Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability
Management Domains
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk
Assessment; Security Automation; Services & Acquisitions
Keyword continuous monitoring; vulnerability management
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident
Response; Maintenance; Risk Assessment; System & Communication Protection
Abstract This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to
specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages
the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it
dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each
of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines
the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each
data domain.
Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7800
Page 108 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final NISTIR 7802 9/20/2011 Trust Model for Security Automation Data 1.0 (TMSAD)
Topic Audit & Accountability; Authentication; Certification & Accreditation (C&A); Cryptography; Digital Signatures; Security
Automation
Keyword digital signatures; SCAP; security automation; Security Content Automation Protocol
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Identification &
Authentication; System & Information Integrity
Abstract This report defines the Trust Model for Security Automation Data 1.0 (TMSAD), which permits users to establish integrity,
authentication, and traceability for security automation data. Since security automation data is primarily stored and
exchanged using Extensible Markup Language (XML) documents, the focus of the trust model is on the processing of
XML documents. The trust model is composed of recommendations on how to use existing specifications to represent
signatures, hashes, key information, and identity information in the context of an XML document within the security
automation domain.
Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Certify & Accredit Systems
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7802
Final NISTIR 7806 9/16/2011 ANSI/NIST-ITL 1-2011 Requirements and Conformance Test Assertions
Topic Biometrics; Certification & Accreditation (C&A)
Keyword ANSI/NIST- ITL 1-2011; biometrics; conformance testing; data interchange; requirements; standard implementations; test
assertions
Family
Abstract The current version of the ANSI/NIST-ITL standard "Data Format for the Interchange of Fingerprint, Facial & Other Biometric
Information" is specified in two parts. Part 1, ANSI/NIST-ITL 1-2007, specifies the traditional format, and Part 2, ANSI/NIST-ITL 2-2008,
specifies a NIEM-conformant XML format. Both parts have been combined into one document, which is being revised and augmented.
The Computer Security Division (CSD) of NIST/ITL has developed a set of test assertions based on the requirements specified in the
4th draft of the new ANSI/NIST-ITL standard. Over twelve hundred test assertions have been identified and organized into a set of
tables to assist in the development of a conformance test tool designed to test implementations of the new version of the ANSI/NIST-ITL
standard for selected record types. These tables were contributed to the Conformance Testing Methodology (CTM) Working Group
which was recently established by NIST/ITL to develop a CTM for the new version of the ANSI/NIST-ITL (AN-2011) standard. A ballot
was conducted on a revised draft (5th draft) of the AN-2011 standard. A new draft will be developed based on the comments received
as a result of this ballot. As the technical content of the AN-2011 draft standard evolves towards approval and publication, and
comments on the assertion tables in this document are received, revised versions of these tables will be developed until they fully
address the requirements of the approved AN-2011 standard. This publication documents the assertions developed and the terms,
operands, and operators used in defining these assertions. Brief information on previous and ongoing conformance test tools
development within NIST/ITL CSD is included.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7806
Final NISTIR 7815 7/1/2011 Access Control for SAR Systems
Topic Authentication
Keyword ABAC; access control; law enforcement; policy; privilege management; SAR; Suspicious Activity Report; XACML
Family Access Control; System & Information Integrity
Page 109 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7815 7/1/2011 The Access Control for SAR Systems (ACSS) project focused on developing a prototype privilege management system
used to express and enforce policies for controlling access to Suspicious Activity Report (SAR) data within the law
enforcement domain. This report details the work conducted for the ACSS project including the design, implementation
and integration of distributed software components for rendering policy decisions, storing subject and resource data, and
facilitating web-based retrieval of SAR records.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7815
Final NISTIR 7816 5/8/2012 Computer Security Division 2011 Annual Report
Topic Annual Reports
Keyword Federal Information Security Management Act; FISMA, Computer Security Division; CSD; Information Security
Family
Abstract Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002,
requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming
year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a component
of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects information
systems against threats to the confidentiality, integrity, and availability of information and services. During Fiscal Year
2011 (FY 2011), CSD successfully responded to numerous challenges and opportunities in fulfilling that mission. Through
CSD's diverse research agenda and engagement in many national priority initiatives, high-quality, cost-effective security
and privacy mechanisms were developed and applied that improved information security across the federal government
and the greater information security community. This annual report highlights the research agenda and activities in which
CSD was engaged during FY 2011.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7816
Final NISTIR 7817 11/7/2012 A Credential Reliability and Revocation Model for Federated Identities
Topic Authentication; Cryptography; General IT Security; Personal Identity Verification (PIV); PKI; Smart Cards
Keyword authentication; assertion; identity management; identity management system (IDMS); information; security; credential;
identity attributes
Family Access Control; Audit & Accountability; Planning
Abstract A large number of Identity Management Systems (IDMSs) are being deployed worldwide that use different technologies
for the population of their users. With the diverse set of technologies, and the unique business requirements for
organizations to federate, there is no uniform approach to the federation process. Similarly, there is no uniform method to
revoke credentials or their associated attribute(s) in a federated community. In the absence of a uniform revocation
method, this document seeks to investigate credential and attribute revocation with a particular focus on identifying
missing requirements. This document first introduces and analyzes the different types of digital credentials and
recommends missing revocation-related requirements for each model in a federated environment. As a second goal, and
as a by-product of the analysis and recommendations, this paper suggests a credential reliability and revocation service
that serves to eliminate the missing requirements.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7817
Page 110 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
DRAFT NISTIR 7823 6/10/2012 Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework
Topic Cyber-Physical Systems & Smart Grid; Maintenance
Keyword conformance testing; electric grid; smart grid; smart meters
Family Maintenance
Abstract Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware
upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The voluntary conformance test
requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA)
Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware
upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft
NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s
conformance with the NEMA standard.
Legal Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7823
DRAFT NISTIR 7831 12/6/2011 Common Remediation Enumeration (CRE) Version 1.0
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk
Assessment
Keyword
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident
Response; Maintenance; Risk Assessment; System & Communication Protection
Abstract NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of
enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities.
Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This
specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries
are created, and defines the technical requirements for constructing CRE entries.
Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Certify & Accredit Systems
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7831
DRAFT NISTIR 7848 5/7/2012 Specification for the Asset Summary Reporting Format 1.0
Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk
Assessment; Security Automation; Services & Acquisitions
Keyword asset reporting; Asset Summary Reporting Format (ASR); continuous monitoring; information
technology; security automation; Security Content Automation Protocol (SCAP), security metrics
Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident
Response; Maintenance; Risk Assessment; System & Communication Protection
Page 111 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract DRAFT NISTIR 7848 5/7/2012 NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data
exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to
report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to
reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and
leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents;
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated
Information Resources/Assess Risks
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7848
Final NISTIR 7849 3/5/2014 A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification
Topic Authentication; Cryptography; Personal Identity Verification (PIV); PKI; Smart Cards
Keyword card issuer; cardholder trait (biometric); person identifier; smart identity token; token secret
Family Access Control; Identification & Authentication; System & Communication Protection; System & Services Acquisition
Abstract Smart cards (smart identity tokens) are now being extensively deployed for identity verification for controlling access to Information
Technology (IT) resources as well as physical resources. Depending upon the sensitivity of the resources and the risk of wrong
identification, different authentication use cases are being deployed. Assignment of authentication strength for each of the use cases is
often based on: (a) the total number of three common orthogonal authentication factors – What You Know, What You Have and What
You are, and (b) the entropy associated with each factor chosen. The objective of this paper is to analyze the limitation of this approach
and present a methodology for assigning authentication strengths based on the strength of pair wise bindings between the five entities
involved in smart card based authentications – the card (token), the token secret, the card holder, the card issuer, and the person
identifier stored in the card. The rationale for the methodology is based on the following three observations: (a) The form factor of the
smart identity token introduces some threats of misuse; (b) the common set of credentials objects provisioned to a smart card embody
bindings to address those threats and (c) the strength of an authentication use case should therefore be based on the number and type
of binding verifications that are performed in the constituent authentication mechanisms.The use of the methodology for developing an
authentication assurance level taxonomy for two real world smart identity token deployments is also illustrated.
Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure
& Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7849
DRAFT NISTIR 7863 12/13/2013 Cardholder Authentication for the PIV Digital Signature Key
Topic Personal Identity Verification (PIV)
Keyword personal identification number; personal identity verification; PIN caching; PIV
Family
Abstract FIPS 201-2 requires explicit user action by the Personal Identity Verification (PIV) cardholder as a condition for use of the
digital signature key stored on the card. This document clarifies the requirement for explicit user action to encourage the
development of compliant applications and middleware that use the digital signature key.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7863
Page 112 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Final NISTIR 7864 7/10/2012 The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities
Topic General IT Security; Risk Assessment
Keyword security measurement; trust misuse; vulnerability measurement; vulnerability scoring
Family Configuration Management; Risk Assessment
Abstract The Common Misuse Scoring System (CMSS) is a set of measures of the severity of software feature misuse
vulnerabilities. A software feature is a functional capability provided by software. A software feature misuse vulnerability is
a vulnerability in which the feature also provides an avenue to compromise the security of a system. Such vulnerabilities
are present when the trust assumptions made when designing software features can be abused in ways that violate
security. Misuse vulnerabilities allow attackers to use for malicious purposes the functionality that was intended to be
beneficial. CMSS can provide measurement data to assist organizations in making sound decisions on addressing
software feature misuse vulnerabilities and in conducting quantitative assessments of the overall security posture of a
system. This report defines proposed measures for CMSS and equations to be used to combine the measures into
severity scores for each vulnerability. The report also provides examples of how CMSS measures and scores would be
determined for selected software feature misuse vulnerabilities.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7864
Final NISTIR 7870 7/12/2012 NIST Test Personal Identity Verification (PIV) Cards
Topic Certification & Accreditation (C&A); Personal Identity Verification (PIV); Smart Cards
Keyword Personal Identity Verification; PIV; smart card; FIPS 201
Family
Abstract In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV)
Card, NIST has developed a set of test PIV Cards and a supporting public key infrastructure. This set of test cards
includes not only examples that are similar to cards that are currently issued today, but also examples of cards with
features that are expected to appear in cards that will be issued in the future. This document provides an overview of the
test cards and the infrastructure that has been developed to support their use.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7870
Final NISTIR 7874 9/14/2012 Guidelines for Access Control System Evaluation Metrics
Topic
Keyword Access Control, Authorization, Policy, Computer Security
Family
Abstract The purpose of this document is to provide Federal agencies with background information on access control (AC)
properties, and to help access control experts improve their evaluation of the highest security AC systems. This document
discusses the administration, enforcement, performance, and support properties of AC mechanisms that are embedded in
each AC system. (Even though this document covers most of the essential AC properties, the listed properties are not
necessarily complete.) This document extends the information in NIST IR 7316, Assessment of Access Control Systems
[NISTIR 7316], which demonstrates the fundamental concepts of policy, models, and mechanisms of AC systems.
Legal
Page 113 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Link Final NISTIR 7874 9/14/2012 http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7874
Final NISTIR 7877 9/14/2012 BioCTS 2012:
Advanced Conformance Test Architectures and Test Suites for Biometric Data Interchange Formats and Biometric
Information Records
Topic Biometrics; Certification & Accreditation (C&A)
Keyword ANSI/NIST-ITL 1-2011; biometric, Biometric Information Records; biometrics; CBEFF; conformance testing; conformance
test architecture; data interchange formats ; encoding, NIEM-compliant; encoding, traditional; standards, ISO/IEC 19794;
standard implementations; test assertions; testing methodology
Family
Abstract The Computer Security Division of NIST/ITL supports the development of biometric conformance testing methodology standards and
other conformity assessment efforts through active technical participation in the development of these standards and the associated
conformance test architectures and test suites. BioCTS 2012 is biometric conformance test software designed to test implementations
for conformance to various biometric data interchange format standards. BioCTS 2012 for ANSI/NIST-ITL 1-2011 tests implementations
of NIST SP 500-290 ANSI/NIST ITL 1-2011 (AN-2011) "Data Format for the Interchange of Fingerprint, Facial & Other Biometric
Information" using test assertions documented in NIST SP 500-295, "Conformance Testing Methodology for ANSI/NIST-ITL 1-2011,
Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information (Release 1.0)." BioCTS 2012 for ISO/IEC tests
implementations of biometric data interchange formats developed by Subcommittee 37 -- Biometrics of the Joint Technical Committee 1 -
- Information Technology of ISO and IEC. Support for testing Biometric Information Records (BIRs) conforming to instantiations of the
Common Biometric Exchange Formats Framework (CBEFF) specified in national and international standards is also provided. BioCTS
2012 for ANSI/NIST-ITL 1-2011 is currently designed to support testing of implementations that include any of the Record Types
defined in AN-2011, but conformance testing is only performed for the selected Record Types (1, 4, 10, 13, 14, 15, and 17). Plans exist
to extend the test tool to support additional Record Types. Information regarding BioCTS 2012 testing architectures, code structure, and
other software design details is provided.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7877
Final NISTIR 7878 10/26/2012 Combinatorial Coverage Measurement
Topic Research
Keyword combinatorial testing; factor covering array; state-space coverage; verification and
validation (V&V); t-way testing; configuration model; component interaction failure
Family
Abstract Combinatorial testing applies factor covering arrays to test all t-way combinations of input or configuration state space. In
some testing situations, it is not practical to use covering arrays, but any set of tests covers at least some portion of t-way
combinations up to t [less than or equal to] n. This report describes measures of combinatorial coverage that can be used
in evaluating the degree of t-way coverage of any test suite, regardless of whether it was initially constructed for
combinatorial coverage.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7878
Final NISTIR 7896 11/15/2012 Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition
Topic Cryptography
Keyword Cryptographic hash algorithm; Cryptographic hash function; Cryptography;
Cryptographic hash competition; SHA-3 competition.
Family
Page 114 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7896 11/15/2012 The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007, to develop
a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms specified in the Federal Information
Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS). The competition was NIST’s response to advances in
the cryptanalysis of hash algorithms.
NIST received sixty-four submissions in October 2008, and selected fifty-one first-round candidates on December 10,
2008; fourteen second-round candidates on July 24, 2009; and five third-round candidates – BLAKE, Grøstl, JH, Keccak
and Skein, on December 9, 2010, to advance to the final round of the competition. Eighteen months were provided for the
public review of the finalists, and on October 2, 2012, NIST announced the winning algorithm of the SHA-3 competition –
Keccak. This report summarizes the evaluation of the five finalists and the selection of the SHA-3 winner.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7896
DRAFT NISTIR 7904 12/21/2012 Trusted Geolocation in the Cloud: Proof of Concept Implementation
Topic Cloud Computing & Virtualization; Research
Keyword cloud computing; geolocation; Infrastructure as a Service (IaaS); virtualization
Family Access Control; Audit & Accountability; Configuration Management; System & Communication Protection; System &
Information Integrity
Abstract This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing
technologies and geolocation. It then describes a proof of concept implementation that was designed to address those
challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can
reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security
community to validate and implement the described proof of concept implementation.
Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems &
Minimum Security Requirements for Each Category
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7904
Final NISTIR 7916 2/1/2013 Proceedings of the Cybersecurity in Cyber-Physical Systems Workshop, April 23-24, 2012
Topic Conferences & Workshops; Cyber-Physical Systems & Smart Grid
Keyword CPS; cyber-physical systems; cybersecurity; networked automotive vehicles; networked medical devices;
semi-conductor manufacturing
Family
Abstract Proceedings of the Cybersecurity in Cyber-Physical Workshop, April 23 – 24, 2012, complete with abstracts and slides
from presenters. Some of the cyber-physical systems covered during the first day of the workshop included networked
automotive vehicles, networked medical devices, semi-conductor manufacturing, and cyber-physical testbeds. Day two of
the workshop covered the electric smart grid. Dr. Farnham Jahanian, NSF, was the keynote speaker on day one.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7916
DRAFT NISTIR 7924 4/22/2013 Reference Certificate Policy
Topic Cryptography; PKI
Page 115 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword DRAFT NISTIR 7924 4/22/2013 certificate authority; certificate policy; digital certificate; public key infrastructure
Family
Abstract The purpose of this document is to identify a baseline set of security controls and practices to support the secure issuance
of certificates. This baseline was developed with publicly-trusted Certificate Authorities (CAs) in mind. These CAs, who
issue the certificates used to secure websites and sign software, play a particularly important role online. This document
formatted as a Reference Certificate Policy (CP). We expect different applications and relying party communities will tailor
this document based on their specific needs. It was structured and developed so that the CP developer can fill in sections
specific to organizational needs and quickly produce a suitable CP. This Reference CP is consistent with the Internet
Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) Certificate Policy and Certification Practices
Framework.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7924
Final NISTIR 7933 5/1/2013 Requirements and Conformance Test Assertions for ANSI/NIST-ITL 1-2011 Record Type 18 - DNA Record
Topic Biometrics; Forensics
Keyword ANSI/NIST-ITL 1-2011; biometrics; conformance testing; conformance test architecture; CTA; CTS; BioCTS; conformance
test suite; data interchange; DNA data; Record Type 18; test assertions; testing methodology
Family
Abstract The Computer Security Division (CSD) of NIST/ITL develops conformance test architectures (CTAs) and test suites
(CTSs) to support users that require conformance to selected biometric standards. Product developers as well as testing
laboratories can also benefit from the use of these tools. This project supports the possible establishment of conformity
assessment programs for biometrics and also supports NIST/ITL’s Forensic Science Program by making conformance
testing tools available that provide developers, users, and purchasers with increased levels of confidence in product
quality and increases the probability of successful interoperability of biometrics and forensic data. One of the test tools is a
CTA/CTS designed to test implementations of ANSI/NIST-ITL 1-2011 (AN-2011) “Data Format for the Interchange of
Fingerprint, Facial & Other Biometric Information” for selected Record Types based on twelve hundred test assertions
previously developed. As part of the process associated with the extension of the first version of BioCTS for AN-2011,
NIST/ITL/CSD’s staff identified over two-hundred test assertions necessary to meet the conformance requirements for the
AN-2011 Record Type 18- DNA Record. These test assertions are documented using the format specified in NIST Special
Publication 500-295, “Conformance Testing Methodology for ANSI/NIST-ITL 1-2011, Data Format for the Interchange of
Fingerprint, Facial & Other Biometric Information (Release 1.0)”.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7933
Final NISTIR 7946 4/28/2014 CVSS Implementation Guidance
Topic General IT Security; Security Automation; Viruses & Malware
Keyword Common Vulnerability Scoring System Version 2.0; CVSS v2.0; National Vulnerability Database; NVD; security metrics;
vulnerabilities; vulnerability scoring
Family Configuration Management
Page 116 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Abstract Final NISTIR 7946 4/28/2014 This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability
Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS
specification to score over 50,000 vulnerabilities analyzed by the National Vulnerability Database (NVD). An overview of
the CVSS base metrics is first presented followed by guidance for difficult and/or unique scoring situations. To assist
vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular
types of software vulnerabilities. The report includes a collection of scored IT vulnerabilities from the NVD, alongside a
justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7946
Final NISTIR 7956 9/18/2013 Cryptographic Key Management Issues & Challenges in Cloud Services
Topic Cloud Computing & Virtualization; Cryptography; PKI
Keyword authentication; cloud services; data protection; encryption; key management system (KMS); Secure Shell (SSH);
Transport Layer Security (TLS)
Family
Abstract To interact with various services in the cloud and to store the data generated/processed by those services, several
security capabilities are required. Based on a core set of features in the three common cloud services - Infrastructure as a
Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), we identify a set of security capabilities
needed to exercise those features and the cryptographic operations they entail. An analysis of the common state of
practice of the cryptographic operations that provide those security capabilities reveals that the management of
cryptographic keys takes on an additional complexity in cloud environments compared to enterprise IT environments due
to: (a) difference in ownership (between cloud Consumers and cloud Providers) and (b) control of infrastructures on which
both the Key Management System (KMS) and protected resources are located. This document identifies the cryptographic
key management challenges in the context of architectural solutions that are commonly deployed to perform those
cryptographic operations.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7956
DRAFT NISTIR 7977 2/18/2014 NIST Cryptographic Standards and Guidelines Development Process
Topic Cryptography
Keyword cryptographic guidelines; cryptographic standards
Family
Abstract This document describes the principles, processes and procedures that drive our cryptographic standards development
efforts. This draft document will be revised based on the feedback received during the public comment period, and the
revised publication will serve as basis for NIST’s future standards development efforts. It will also serve as the basis for
the review of NIST’s existing body of cryptographic standards and guidelines.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7977
DRAFT NISTIR 7981 3/7/2014 Mobile, PIV, and Authentication
Topic
Page 117 of 118
NIST_CSD_Publications_20140428
Cat Status Series Pub Sort Date Title
Keyword DRAFT NISTIR 7981 3/7/2014 Derived PIV Credential; electronic authentication; microSD; mobile device; PIV Card; smart phone; tablet; UICC; USB
Family
Abstract The purpose of this document is to analyze various current and near-term options for remote electronic authentication
from mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of
mobile devices, such as smart phones and tablets.
Legal
Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7981
Page 118 of 118