Your SlideShare is downloading. ×
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

NIST SP 800 SERIES, FIPS, NISTIR INDEX (20131031)

881

Published on

NIST SP 800 SERIES INDEX

NIST SP 800 SERIES INDEX

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
881
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Status Pub# Final Series Pub# SP 800-12 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title An Introduction to Computer Security: the NIST Handbook Pub Date 10/1/1995 Abstract This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations. The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. Authors Guttman, B. (NIST); Roback, E. A. (NIST); Topic General IT Security Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords Computer security; guidance; IT security; security controls Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-12 Final SP 800-13 Telecommunications Security Guidelines for Telecommunications Management Network Pub Date 10/1/1995 Abstract This Telecommunication Security Guideline is intended to provide a security baseline for Network Elements (NEs) and Mediation Devices (MDs) that is based on commercial security needs. In addition, some National Security and Emergency Preparedness (NS/EP) security requirements will be integrated into the baseline to address specific network security needs. The guideline should assist telecommunications vendors in developing systems and service providers in implementing systems with appropriate security for integration into the Public Switched Network (PSN). It can also be used by a government agency or a commercial organization to formulate a specific security policy. It does not stipulate regulatory requirements or mandated standards of the National Institute of Standards and Technology. Authors Kimmins, J. (NIST); Dinkel, C. (NIST); Walters, D. (NIST); Topic Communications & Wireless Family Contingency Planning; Risk Assessment Keywords Telecommunications security; security baseline; security requirements Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-13 Title Final SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems Pub Date 9/1/1996 Abstract As more organizations share information electronically, a common understanding of what is needed and expected in securing information technology (IT) resources is required. This document provides a baseline that organizations can use to establish and review their IT security programs. The document gives a foundation that organizations can reference when conducting multi-organizational business as well as internal business. Management, internal auditors, users, system developers, and security practioners can use the guideline to gain an understanding of the basic security requirements most IT systems should contain. The foundation begins with generally accepted system security principles and continues with common practices that are used in securing IT systems. Authors Swanson, M. (NIST); Guttman, B. (NIST); Topic General IT Security Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords IT security; security baseline; security practices; security principles Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-14 Final SP Pub Date Cloudburst Security, LLC 800-15 MISPC Minimum Interoperability Specification for PKI Components, Version 1 1/1/1998 Page 1 of 77 http://www.cloudburstsecurity.com
  • 2. Status Abstract Final Series Pub# SP 800-15 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The Minimum Interoperability Specification for PKI Components (MISPC) supports interoperability for a large scale public key infrastructure (PKI) that issues, revokes and manages X.509 version 3 digital signature public key certificates and version 2 certificate revocation lists (CRLs). To the extent possible, this document adopts data formats and transaction sets defined in existing and evolving standards, such as ITU X.509 and the IETF's Internet Public Key Infrastructure Using X.509 Certificates (PKIX) series. In this specification a PKI is broken into five components: certification authorities (CAs) that issue and revoke certificates; organizational registration authorities (ORAs) that vouch for the binding between public keys and certificate holder identities and other attributes; certificate holders that are issued certificates and can sign digital documents; clients that validate digital signatures and their certification paths from a known public key of a trusted CA; and repositories that store and make available certificates and CRLs.The MISPC supports both hierarchical and network trust models. In hierarchical models, trust is delegated by a CA when it certifies a subordinate CA. Trust delegation starts at a root CA that is trusted by every node in the infrastructure. IN network models, trust is established between any two CAs. The MISPC specifies the use of X.509 v3 extensions in certificates to explicitly manage trust relationships.This specification consists primarily of a profile of certificate and CRL extensions and a set of transactions. The transactions include: certification requests, certificate renewal, certificate revocation, and retrieval of certificates and CRLs from repositories. Authors Burr, W. E. (NIST); Dodson, D. F. (NIST); Nazario, N. (NIST); Polk, W. T. (NIST); Topic Cryptography; Digital Signatures; PKI; Services & Acquisitions Family System & Communication Protection Keywords Certificate; certificate revocation list; certification authority (CA); CRL; public key infrastructure (PKI); registration authority; repository; X.509 Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-15-Version%201 Draft SP 800-16 Rev. 1 Information Security Training Requirements: a Role- and Performance-Based Model Pub Date 10/29/2013 Abstract Meeting security responsibilities and providing for the confidentiality, integrity, and availability of information in today's highly networked environment can be a difficult task. Each individual that owns, uses, relies on, or manages information and information systems must fully understand their specific security responsibilities. This includes ownership of the information and the role individuals have in protecting information. Information that requires protection includes information they own, information provided to them as part of their work and information they may come into contact with. This document describes information technology / cyber security role-based training for the Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities. This document is intended to be used by Federal information technology / cyber security training personnel and their contractors to assist in designing role-based training courses or modules for Federal Organizations personnel who have been identified as having significant responsibilities for information technology / cyber security. This publication should also be read, reviewed, or understood at a fairly high level by several audiences including the Organizational Heads through the leadership chain to the individual. Some of the titles include the IT Managers, Senior Agency Information Security Officer (SAISO), Certified Information Systems Security Officer (CISSO), Information Systems Security Officer (ISSO), Information Assurance Manager (IAM), and Program Manager (PM). Authors Toth, P. (NIST); Klein, P. (Systegra, Inc.) Topic Audit & Accountability; Awareness & Training Family Awareness & Training; Program Management Keywords Cyber security; information assurance; learning continuum; role-based training; security; security awareness; security controls; security literacy Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Conduct Security Awareness Training Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-16-Rev.%201 Final SP 800-16 Information Technology Security Training Requirements: a Role- and Performance-Based Model Pub Date 4/1/1998 Abstract This document supersedes NIST SP 500-172, Computer Security Training Guidelines, published in 1989. The new document supports the Computer Security Act (Public Law 100-235) and OMB Circular A-130 Appendix III requirements that NIST develop and issue computer security training guidance. This publication presents a new conceptual framework for providing information technology (IT) security training. This framework includes the IT security training requirements appropriate for today's distributed computing environment and provides flexibility for extension to accommodate future technologies and the related risk management decisions. Authors Wilson, M. (NIST); de Zafra, D. E. (National Institutes of Health); Pitcher, S. I. (Department of Commerce); Tressler, J. D. (Department of Education); Ippolito, J. B. (Allied Technology Group, Inc.); Topic Audit & Accountability; Awareness & Training Family Awareness & Training; Program Management Keywords Awareness; behavioral objectives; education; individual accountability; job function; management and technical controls; rules of behavior; training Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Conduct Security Awareness Training Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-16 Final SP Pub Date Cloudburst Security, LLC 800-17 Modes of Operation Validation System (MOVS): Requirements and Procedures 2/1/1998 Page 2 of 77 http://www.cloudburstsecurity.com
  • 3. Status Abstract Final Series Pub# SP 800-17 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The National Institute of Standards and Technology (NIST) Modes of Operation Validation System (MOVS) specifies the procedures involved in validating implementations of the DES algorithm in FIPS PUB 46-2 The Data Encryption Standard (DES) and the Skipjack algorithm in FIPS PUB 185, Escrowed Encryption Standard (ESS). The MOVS is designed to perform automated testing on Implementations Under Test (IUTs). This publication provides brief overviews of the DES and Skipjack algorithms and introduces the basic design and configuration of the MOVS. Included in this overview are the specifications for the two categories of tests which make up the MOVS, i.e., the Known Answer tests and the Modes tests. The requirements and administrative procedures to be followed by those seeking formal NIST validation of an implementation of the DES or Skipjack algorithm are presented. The requirements described include the specific protocols for communication between the IUT and the MOVS, the types of tests which the IUT must pass for formal NIST validation, and general instructions for accessing and interfacing with the MOVS. An appendix with tables of values and results for the DES and Skipjack Known Answer tests is also provided. Authors Keller, S. S. (NIST); Smid, M. E. (NIST); Topic Authentication; Cryptography Family Certification, Accreditation & Security Assessments; System & Communication Protection Keywords Automated testing; computer security; cryptographic algorithms; cryptography; Data Encryption Standard (DES); Federal Information Processing Standard (FIPS); NVLAP; Skipjack algorithm; secret key cryptography; validation. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-17 Final SP 800-18 Rev. 1 Guide for Developing Security Plans for Federal Information Systems Pub Date 2/1/2006 Abstract The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan. The completion of system security plans is a requirement of the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, and Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Authors Swanson, M. (NIST); Hash, J. (NIST); Bowen, P. (NIST); Topic Audit & Accountability; Certification & Accreditation (C&A); Planning Family Certification, Accreditation & Security Assessments; Planning Keywords Authorize processing; computer security; general support system; major application; management controls; operational controls; rules of behavior; security plan; technical controls Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-18-Rev.1 Final SP 800-19 Mobile Agent Security Pub Date 10/1/1999 Abstract Mobile agent technology offers a new computing paradigm in which a program, in the form of a software agent, can suspend its execution on a host computer, transfer itself to another agent-enabled host on the network, and resume execution on the new host. The use of mobile code has a long history dating back to the use of remote job entry systems in the 1960's. Today's agent incarnations can be characterized in a number of ways ranging from simple distributed objects to highly organized software with embedded intelligence. As the sophistication of mobile software has increased over time, so too have the associated threats to security. This report provides an overview of the range of threats facing the designers of agent platforms and the developers of agent-based applications. The report also identifies generic security objectives, and a range of measures for countering the identified threats and fulfilling these security objectives. Authors Jansen, W. (NIST); Karygiannis, A. T. (NIST); Topic Planning; Risk Assessment; Viruses & Malware Family Access Control; Audit & Accountability; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity Keywords Computer security; mobile agent security Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-19 Final SP Pub Date Cloudburst Security, LLC 800-20 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures 3/1/2012 Page 3 of 77 http://www.cloudburstsecurity.com
  • 4. Status Abstract Final Series Pub# SP 800-20 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The National Institute of Standards and Technology (NIST) Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS) specifies the procedures involved in validating implementations of the Triple DES algorithm in ANSI X9.52 - 1998, Triple Data Encryption Algorithm Modes of Operation. Successful completion of the tests contained within the TMOVS is required to claim conformance to ANSI X9.52-1998.The TMOVS is designed to perform automated testing on Implementations Under Test (IUTs). This publication provides a brief overview of the Triple DES algorithm and introduces the basic design and configuration of the TMOVS. Included in this overview are the specifications for the two categories of tests which make up the TMOVS, i.e., the Known Answer tests and the Modes tests. The requirements and administrative procedures to be followed by those seeking formal NIST validation of an implementation of the Triple DES algorithm are presented. The requirements described include the specific protocols for communication between the IUT and the TMOVS, the types of tests which the IUT must pass for format NIST validation, and general instruction for accessing and interfacing the TMOVS. An appendix with tables of values and results for the TDES Known Answer tests is also provided. Authors Keller, S. S. (NIST); Topic Cryptography Family Certification, Accreditation & Security Assessments; System & Communication Protection Keywords Automated testing; computer security; cryptographic algorithms; cryptography; Triple Data Encryption Algorithm (TDEA); Triple Data Encryption Standard (TDES); Federal Information Processing Standard (FIPS); NVLAP; secret key cryptography; validation. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-20 Final SP 800-21 Second edition Guideline for Implementing Cryptography in the Federal Government Pub Date 12/1/2005 Abstract This Second Edition of NIST Special Publication (SP) 800-21, updates and replaces the November 1999 edition of Guideline for Implementing Cryptography in the Federal Government. Many of the references and cryptographic techniques contained in the first edition of NIST SP 800-21 have been amended, rescinded, or superseded since its publication. The current publication offers new tools and techniques. NIST SP 800-21 is intended to provide a structured, yet flexible set of guidelines for selecting, specifying, employing, and evaluating cryptographic protection mechanisms in Federal information systems?and thus, makes a significant contribution toward satisfying the security requirements of the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. The current publication also reflects the elimination of the waiver process by the Federal Information Security Management Act (FISMA) of 2002. SP 800-21 includes background information, describes the advantages of using cryptography; defines the role and use of standards and describes standards organizations that are outside the Federal government; describes the methods that are available for symmetric and asymmetric key cryptography; describes implementation issues (e.g., key management); discusses assessments, including the Cryptographic Module Validation Program (CMVP), the Common Criteria (CC), and Certification and Accreditation (C&A); and describes the process of choosing the types of cryptography to be used and selecting a cryptographic method or methods to fulfill a specific requirement. Authors Barker, E. B. (NIST); Barker, W. C. (NIST); Lee, A. (NIST); Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Planning; Risk Assessment; Services & Acquisitions Family Contingency Planning; Incident Response; Planning; System & Communication Protection; System & Services Acquisition Keywords Cryptographic algorithm; cryptographic hash function; cryptographic key; cryptographic module; digital signature; key establishment; key management; message authentication code Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-21-2nd%20edition Final SP 800-22 Rev. 1a A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications Pub Date 4/1/2010 Abstract This paper discusses some aspects of selecting and testing random and pseudorandom number generators. The outputs of such generators may be used in many cryptographic applications, such as the generation of key material. Generators suitable for use in cryptographic applications may need to meet stronger requirements than for other applications. In particular, their outputs must be unpredictable in the absence of knowledge of the inputs. Some criteria for characterizing and selecting appropriate generators are discussed in this document. The subject of statistical testing and its relation to cryptanalysis is also discussed, and some recommended statistical tests are provided. These tests may be useful as a first step in determining whether or not a generator is suitable for a particular cryptographic application. However, no set of statistical tests can absolutely certify a generator as appropriate for usage in a particular application, i.e., statistical testing cannot serve as a substitute for cryptanalysis. The design and cryptanalysis of generators is outside the scope of this paper. Authors Bassham III, L. E. (NIST); Rukhin, A. L. (NIST); Soto, J. (NIST); Nechvatal, J. R. (NIST); Smid, M. E. (NIST); Barker, E. B. (NIST); Leigh, S. D. (NIST); Levenson, M. (NIST); Vangel, M. (NIST); Banks, D. L. (NIST); Heckert, N. A. (NIST); Dray, J. F. (NIST); Vo, San (NIST); Topic Cryptography Family Certification, Accreditation & Security Assessments; System & Communication Protection Keywords Random number generator; hypothesis test; P-value Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-22-Rev.%201a Final SP Pub Date Cloudburst Security, LLC 800-23 Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products 8/1/2000 Page 4 of 77 http://www.cloudburstsecurity.com
  • 5. Status Abstract Final Series Pub# SP 800-23 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Computer security assurance provides a basis for one to have confidence that security measures, both technical and operational, work as intended. Use of products with an appropriate degree of assurance contributes to security and assurance of the system as a whole and thus should be an important factor in IT procurement decisions. Two Government programs are of particular interest -- the National Information Assurance Partnership (NIAP)'s Common Criteria Evaluation and Validation Program and NIST's Cryptographic Module Validation Program (CMVP). The NIAP program focuses on evaluations of products (e.g., a firewall or operating system) against a set of security specifications. The CMVP program focuses on security conformance testing of a cryptographic module against Federal Information Processing Standard 140-1, Security Requirements for Cryptographic Modules and related federal cryptographic algorithm standards. Authors Roback, E. A. (NIST); Topic Certification & Accreditation (C&A); Risk Assessment Family Certification, Accreditation & Security Assessments; Risk Assessment; System & Services Acquisition Keywords Assurance; computer security; evaluation; information assurance; IT security; security testing Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-23 Final SP 800-24 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does Pub Date 4/1/2001 Abstract This report presents a generic methodology for conducting an analysis of a Private Branch Exchange (PBX) in order to identify security vulnerabilities. The report focuses on digital-based PBXs and addresses the following areas for study: System Architecture; Hardware; Maintenance; Administrative Database/Software; and User Features. The methods described in this report are designed to assist administrators in conducting this type of testing. Computer based telephony systems and new techniques such as voice over IP (VOIP) present an entirely new collection of vulnerabilities and are not addressed in this report. However, some of the evaluation methods described here may be applied to these systems as well. Authors Kuhn, D. R. (NIST); Topic Communications & Wireless; Maintenance Family Access Control; Contingency Planning; Identification & Authentication; Maintenance; Media Protection; Physical & Environmental Protection; Risk Assessment Keywords Computer security; PBX; private branch exchange; telecommunications security Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-24 Final SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication Pub Date 10/1/2000 Abstract This guidance document was developed by the Federal Public Key Infrastructure Steering Committee to assist Federal agencies that are considering the use of public key technology for digital signatures or authentication over open networks such as the Internet. This includes communications with other Federal or non-Federal entities, such as members of the public, private firms, citizen groups, and state and local governments. Most public key technology applications for digital signatures provide for user authentication as well. However, public key technology can be used for user authentication only without digital signatures. Standards such as X.509 provide for that functionality.This document encourages the thoughtful use of public key technology by Federal agencies as set forth in guidance published by the Office of Management and Budget implementing the Government Paperwork Elimination Act (GPEA). It also amplifies upon principles contained in the GPEA guidance and separately in Access with Trust issued in September 1998 by the Office of Management and Budget, the National Partnership for Reinventing Government, and the Government Information Technology Services Board. Finally, it discusses briefly the governmentwide Public Key Infrastructure (PKI) which is developing to enable applications programs to effectively use public key technology across Federal agencies. Authors Lyons-Burke, K. (NIST); Federal Public Key Infrastructure Steering Committee (); Topic Authentication; Cryptography; Digital Signatures; PKI; Planning; Services & Acquisitions Family Contingency Planning; Identification & Authentication; Planning; Risk Assessment; System & Communication Protection Keywords Federal bridge CA; Government Paperwork Elimination Act; GPEA; guidance; PKI; public key infrastructure Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-25 Final SP 800-27 Rev. A Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A Pub Date 6/1/2004 Abstract The Engineering Principles for Information Technology (IT) Security (EP-ITS) presents a list of system-level security principles to be considered in the design, development, and operation of an information system. This document is to be used by IT security stakeholders and the principles introduced can be applied to general support systems and major applications. EP-ITS presents principles that apply to all systems, not ones tied to specific technology areas. These principles provide a foundation upon which a more consistent and structured approach to the design, development, and implementation of IT security capabilities can be constructed. While the primary focus of these principles remains on the implementation of technical countermeasures, these principles highlight the fact that, to be effective, a system security design should also consider non-technical issues, such as policy, operational procedures, and user education. Authors Stoneburner, G. (NIST); Hayden, C. (Booz Allen Hamilton); Feringa, A. (Booz Allen Hamilton); Topic General IT Security; Planning Family Planning; System & Services Acquisition Keywords Computer security; engineering principles; IT security; security baseline Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-27-Rev.%20A Final SP Pub Date Cloudburst Security, LLC 800-28 Version 2 Guidelines on Active Content and Mobile Code 3/1/2008 Page 5 of 77 http://www.cloudburstsecurity.com
  • 6. Status Abstract Final Series Pub# SP NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title 800-28 Version 2 Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Like any technology, active content can be used to deliver essential services, but it can also become a source of vulnerability for exploitation by an attacker. The purpose of this document is to provide an overview of active content and mobile code technologies in use today and offer insights for making informed IT security decisions on their application and treatment. The discussion gives details about the threats, technology risks, and safeguards for end user systems, such as desktops and laptops. Although various end user applications, such as email clients, can involve active content, Web browsers remain the primary vehicle for delivery and are underscored in the discussion. The tenets presented for Web browsers apply equally well to other end user applications and can be inferred directly. Authors Jansen, W. (NIST); Winograd, T. (Booz Allen Hamilton); Scarfone, K. A. (NIST); Topic Risk Assessment; Viruses & Malware Family Access Control; Risk Assessment; System & Communication Protection; System & Information Integrity Keywords Active content; email security; malware; mobile code; Web security Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-28-Version%202 Final SP 800-29 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2 Pub Date 6/1/2001 Abstract Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and identification and authentication. A documented methodology for conformance testing through a defined set of security requirements in FIPS 140-1 and FIPS 140-2 and other cryptographic standards is specified in the Derived Test Requirements.FIPS 140-1 is one of NIST's most successful standards and forms the very foundation of the Cryptographic Module Validation Program. FIPS 140-2 addresses lessons learned from questions and comments and reflects changes in technology. The standard was strengthened, but not changed in focus or emphasis. Also, the standard was minimally restructured to: standardize the language and terminology to add clarity and consistency; remove redundant and extraneous information to make the standard more concise; and revise or remove vague requirements. Finally, a new section was added detailing new types of attacks on cryptographic modules that currently do not have specific testing available. This differences paper summarizes the changes from FIPS 140-1 to FIPS 140-2 and documents the detailed requirements. Authors Snouffer, S. R. (NIST); Lee, A. (NIST); Oldehoeft, A. (NIST); Topic Cryptography Family System & Communication Protection Keywords Cryptographic modules; cryptography; cryptography security requirements; FIPS PUB 140-1; FIPS PUB 140-2 Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-29 Final SP 800-30 Rev. 1 Guide for Conducting Risk Assessments Pub Date 9/1/2012 Abstract The purpose of Special Publication 800-30 is to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks. Authors Joint Task Force Transformation Initiative Topic Audit & Accountability; Certification & Accreditation (C&A); Planning; Risk Assessment Family Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment; System & Services Acquisition Keywords Cost-benefit analysis; residual risk; risk; risk assessment; risk management; risk mitigation; security controls; threat vulnerability Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-30-Rev.%201 Final SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure Pub Date 2/26/2001 Abstract This publication was developed to assist agency decision-makers in determining if a PKI is appropriate for their agency, and how PKI services can be deployed most effectively within a Federal agency. It is intended to provide an overview of PKI functions and their applications. Additional documentation will be required to fully analyze the costs and benefits of PKI systems for agency use, and to develop plans for their implementation. This document provides a starting point and references to more comprehensive publications. Authors Kuhn, D. R. (NIST); Hu, V. (NIST); Polk, W. T. (NIST); Chang, S.-j. H. (NIST); Topic Authentication; Cryptography; Digital Signatures; PKI; Planning Family Identification & Authentication; Planning; Risk Assessment; System & Communication Protection Keywords Certificates; digital signatures; PKI; public key infrastructure Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-32 Final SP Pub Date Cloudburst Security, LLC 800-33 Underlying Technical Models for Information Technology Security 12/1/2001 Page 6 of 77 http://www.cloudburstsecurity.com
  • 7. Status Abstract Final Series Pub# SP 800-33 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Underlying Technical Models for Information Technology Security provides a description of the technical foundations, termed models, that underlie secure information technology (IT). The intent is to provide, in a concise form, the models that should be considered in the design and development of technical security capabilities. These models encompass lessons learned, good practices, and specific technical considerations.The intended audience consists of both government and private sectors including: IT users desiring a better understanding of system security; engineers and architects designing/building security capabilities; and those developing guidance for others to use in implementing security capabilities. Authors Stoneburner, G. (NIST); Topic General IT Security; Planning Family Planning; System & Services Acquisition Keywords Computer security; information technology security; IT security; technical models Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-33 Final SP 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems Pub Date 11/11/2010 Abstract This publication assists organizations in understanding the purpose, process, and format of information system contingency planning development through practical, real-world guidelines. This guidance document provides background information on interrelationships between information system contingency planning and other types of security and emergency management-related contingency plans, organizational resiliency, and the system development life cycle. This document provides guidance to help personnel evaluate information systems and operations to determine contingency planning requirements and priorities. Authors Swanson, M. (NIST); Bowen, P. (NIST); Phillips, A. W. (Booz Allen Hamilton); Gallup, D. (Booz Allen Hamilton); Lynes, D. (Booz Allen Hamilton); Topic Certification & Accreditation (C&A); Contingency Planning Family Contingency Planning; Maintenance; Planning; Risk Assessment; System & Services Acquisition Keywords Contingency Planning; Resilience; Information System Contingency Plan; Incident Response Plan; Disaster Recovery Plan Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Develop Contingency Plans & Procedures Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-34-Rev.%201 Final SP 800-35 Guide to Information Technology Security Services Pub Date 10/1/2003 Abstract Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by a growing group of vendors. It is difficult and challenging to determine service provider capabilities, measure service reliability and navigate the many complexities involved in security service agreements.This guide provides assistance with the selection, implementation, and management of IT security services by guiding organizations through the various phases of the IT security services life cycle. This life cycle provides a framework that enables the IT security decision makers to organize their IT security effortsfrom initiation to closeout. The factors to be considered when selecting, implementing, and managing IT security services include: the type of service arrangement; service provider qualifications, operational requirements and capabilities, experience, and viability; trustworthiness of service provider employees; and the service provider's capability to deliver adequate protection for the organization systems, applications, and information. Authors Grance, T. (NIST); Hash, J. (NIST); Stevens, M. (Booz Allen Hamilton); O'Neal, K. (NIST); Bartol, N. (NIST); Topic Planning; Services & Acquisitions Family Certification, Accreditation & Security Assessments; Configuration Management; System & Services Acquisition Keywords Computer security; information security; life cycle; outsourcing business case; security service; service level agreement; service provider; total cost of ownership Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-35 Final SP 800-36 Guide to Selecting Information Technology Security Products Pub Date 10/1/2003 Abstract The selection of IT security products is an integral part of the design, development and maintenance of an IT security infrastructure that ensures confidentiality, integrity, and availability of mission critical information. The guide seeks to assist in choosing IT security products that meet an organization's requirements. It should be used with other NIST publications to develop a comprehensive approach to meeting an organization's computer security and information assurance requirements. This guide defines broad security product categories, specifies product types within those categories, and then provides a list of characteristics and pertinent questions an organization should ask when selecting a product from within these categories. Authors Grance, T. (NIST); Stevens, M. (Booz Allen Hamilton); Myers, M. (Booz Allen Hamilton); Topic Planning; Services & Acquisitions Family Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Incident Response; Media Protection; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Cloudburst Security, LLC Page 7 of 77 http://www.cloudburstsecurity.com
  • 8. Status Keywords Series Pub# Title Final SP 800-36 Computer security; enterprise architecture; life cycle; products; security controls Final SP 800-37 Rev. 1 Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsSPs.html#SP-800-36 Pub Date 2/1/2010 Abstract The purpose of SP 800-37 Rev 1 is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. Authors Joint Task Force Transformation Initiative (); Topic Audit & Accountability; Certification & Accreditation (C&A); Planning; Risk Assessment Family Certification, Accreditation & Security Assessments; Configuration Management; Planning; Program Management; Risk Assessment Keywords Risk management framework; categorize; security controls; information systems; common controls; roles and responsibilities; security authorization; continuous monitoring; FISMA Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Certify & Accredit Systems Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-37-Rev.%201 Final SP 800-38A Addendum Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode Pub Date 10/1/2010 Abstract A limitation to Cipher Block Chaining (CBC) mode, as specified in NIST Special Publication 800-38A, is that the plaintext input must consist of a sequence of blocks. Ciphertext stealing is a padding method in which the required padding bits are "stolen" from the penultimate ciphertext block. This addendum to SP 800-38A specifies three variants of CBC mode with ciphertext stealing. These variants, which differ only in the ordering of the ciphertext bits, can encrypt any input whose bit length is greater than or equal to the block size. Unlike conventional padding methods, these variants do not expand the length of the data. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords Block cipher; ciphertext stealing; cryptography; encryption; mode of operation Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-A%20-%20Addendum Title Final SP 800-38A Recommendation for Block Cipher Modes of Operation: Methods and Techniques Pub Date 12/1/2001 Abstract This recommendation defines five confidentiality modes of operation for use with an underlying symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Used with an underlying block cipher algorithm that is approved in a Federal Information Processing Standard (FIPS), these modes can provide cryptographic protection for sensitive, but unclassified, computer data. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords Computer security; cryptography; data security; block cipher; encryption; mode of operation. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-A Final SP 800-38B Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication Pub Date 5/1/2005 Abstract This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords Authentication; block cipher; cryptography; information security; integrity; message authentication code; mode of operation. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-B Final SP Pub Date Cloudburst Security, LLC 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality 7/20/2007 Page 8 of 77 http://www.cloudburstsecurity.com
  • 9. Status Abstract Final Series Pub# SP 800-38C NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This Recommendation defines a mode of operation, called Counter with Cipher Block Chaining-Message Authentication Code (CCM), for a symmetric key block cipher algorithm. CCM may be used to provide assurance of the confidentiality and the authenticity of computer data by combining the techniques of the Counter (CTR) mode and the Cipher Block Chaining-Message Authentication Code (CBC-MAC) algorithm. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords Authenticated encryption; authentication; block cipher; confidentiality; cryptography; encryption; information security; message authentication code; mode of operation Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-C Final SP 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC Pub Date 11/1/2007 Abstract This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for authenticated encryption with associated data, and its specialization, GMAC, for generating a message authentication code (MAC) on data that is not encrypted. GCM and GMAC are modes of operation for an underlying approved symmetric key block cipher. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords Authenticated encryption; authentication; block cipher; confidentiality; cryptography; encryption; information security; mode of operation. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-D Final SP 800-38E Recommendation for Block Cipher Modes of Operation: the XTS-AES Mode for Confidentiality on Storage Devices Pub Date 1/1/2010 Abstract This publication approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one additional requirement, as an option for protecting the confidentiality of data on storage devices. The mode does not provide authentication of the data or its source. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords Block cipher; ciphertext stealing; computer security; confidentiality; cryptography; encryption; information security mode of operation; tweakable block cipher. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-E Final SP 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping Pub Date 12/21/2012 Abstract This publication describes cryptographic methods that are approved for “key wrapping,” i.e., the protection of the confidentiality and integrity of cryptographic keys. In addition to describing existing methods, this publication specifies two new, deterministic authenticated-encryption modes of operation of the Advanced Encryption Standard (AES) algorithm: the AES Key Wrap (KW) mode and the AES Key Wrap With Padding (KWP) mode. An analogous mode with the Triple Data Encryption Algorithm (TDEA) as the underlying block cipher, called TKW, is also specified, to support legacy applications. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords authenticated encryption; authentication; block cipher; computer security; confidentiality; cryptography; encryption; information security; key wrapping; mode of operation Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-F Draft SP 800-38G Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption Pub Date 7/8/2013 Abstract This Recommendation specifies three methods for format-preserving encryption, called FF1, FF2, and FF3. Each of these methods is a mode of operation of the AES algorithm, which is used to construct a round function within the Feistel structure for encryption. Authors Dworkin, M. J. (NIST); Topic Authentication; Cryptography Family System & Communication Protection Keywords block cipher; computer security; confidentiality; cryptography; encryption; Feistel structure; format-preserving encryption; information security; mode of operation Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-38-G Final SP Pub Date Cloudburst Security, LLC 800-39 Managing Information Security Risk: Organization, Mission, and Information System View 3/1/2011 Page 9 of 77 http://www.cloudburstsecurity.com
  • 10. Status Abstract Final Series Pub# SP 800-39 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing information security risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines. The guidance provided in this publication is not intended to replace or subsume other risk-related activities, programs, processes, or approaches that organizations have implemented or intend to implement addressing areas of risk management covered by other legislation, directives, policies, programmatic initiatives, or mission/business requirements. Rather, the information security risk management guidance described herein is complementary to and can be used as part of a more comprehensive Enterprise Risk Management (ERM) program. Authors Joint Task Force Transformation Initiative (); Topic Planning; Risk Assessment Family Program Management Keywords Risk management; security; risk assessment; roles; responsibilities; organization; mission; information system; enterprise risk management; continuous monitoring; joint task force transformation initiative Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-39 Final SP 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program Pub Date 11/1/2005 Abstract This document provides guidance on creating a security patch and vulnerability management program and testing the effectiveness of that program. The primary audience is security managers who are responsible for designing and implementing the program. However, this document also contains information useful to system administrators and operations personnel who are responsible for applying patches and deploying solutions (i.e., information related to testing patches and enterprise patching software). Authors Mell, P. M. (NIST); Bergeron, T. (The MITRE Corporation); Henning, D. (Hughes Network Systems LLC); Topic Maintenance; Planning; Risk Assessment; Viruses & Malware Family Awareness & Training; Configuration Management; Planning; Risk Assessment Keywords Computer security; security patches; vulnerability management Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-40-Version%202.0 Final SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies Pub Date 7/22/2013 Abstract Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies and it also briefly discusses metrics for measuring the technologies’ effectiveness. Draft NIST SP 800-40 Revision 3 replaces the previous release (version 2), which was published in 2005. Authors Souppaya, M. P. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Maintenance; Planning; Risk Assessment Family Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Information Integrity Keywords information security; patch management; remediation; software patches; vulnerability management Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-40-Rev.%203 Final SP 800-41 Rev. 1 Guidelines on Firewalls and Firewall Policy Pub Date 9/1/2009 Abstract Firewalls are devices or programs that control the flow of network traffic between networks or hosts employing differing security postures. This publication provides an overview of several types of firewall technologies and discusses their security capabilities and their relative advantages and disadvantages in detail. It also makes recommendations for establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions. Authors Scarfone, K. A. (NIST); Hoffman, P. (Virtual Private Network Consortium); Topic Audit & Accountability; Communications & Wireless; Planning Family Access Control; Audit & Accountability; Planning; System & Communication Protection Keywords Firewall policy; firewalls; host-based firewalls; network firewalls; network security; packet filtering; perimeter security; personal firewalls; proxies Cloudburst Security, LLC Page 10 of 77 http://www.cloudburstsecurity.com
  • 11. Status Legal Series Pub# Title Final SP 800-41 Rev. 1 Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure Final SP 800-43 Systems Administration Guidance for Securing Windows 2000 Professional System Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsSPs.html#SP-800-41-Rev.%201 Pub Date 11/1/2002 Abstract The document is intended to assist the users and system administrators of Windows 2000 Professional systems in configuring their hosts by providing configuration templates and security checklists. The guide provides detailed information about the security features of Win2K Pro, security configuration guidelines for popular applications, and security configuration guidelines for the Win2K Pro operating system. The guide documents the methods that the system administrators can use to implement each security setting recommended. The principal goal of the document is to recommend and explain tested, secure settings for Win2K Pro workstations with the objective of simplifying the administrative burden of improving the security of Win2K Pro systems. This guidance document also includes recommendations for testing and configuring common Windows applications. The application types include electronic mail (e-mail) clients, Web browsers, productivity applications, and antivirus scanners. This list is not intended to be a complete list of applications to install on Windows 2000 Professional, nor does it imply NIST's endorsement of particular commercial off-the-shelf (COTS) products. Many of the configuration recommendations for the tested Windows applications focus on deterring viruses, worms, Trojan horses, and other types of malicious code. The guide presents recommendations to protect the Windows 2000 Professional system from malicious code when the tested applications are being used. Authors Souppaya, M. P. (NIST); Harris, A. B. (Booz Allen Hamilton); McLarnon, M. (Booz Allen Hamilton); Selimis, N. (Booz Allen Hamilton); Topic Maintenance; Planning Family Access Control; Configuration Management; Contingency Planning; System & Information Integrity Keywords E-mail client; hardening; lock-down; Microsoft Windows 2000; operating system; patches; security; virus; web-browser Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-43 Final SP 800-44 Version 2 Guidelines on Securing Public Web Servers Pub Date 9/1/2007 Abstract Web servers are often the most targeted and attacked hosts on organizations' networks. As a result, it is essential to secure Web servers and the network infrastructure that supports them. This document is intended to assist organizations in installing, configuring, and maintaining secure public Web servers. Practices described in detail include choosing Web server software and platforms, securing the underlying operating system and Web server software, deploying appropriate network protection mechanisms, and using, publicizing, and protecting information in a careful and systematic manner. The publication also provides recommendations for maintaining secure configurations through patching and upgrades, security testing, log monitoring, and backups of data and operating system files. Authors Tracy, M. (Federal Reserve Information Technology); Jansen, W. (NIST); Scarfone, K. A. (NIST); Winograd, T. (Booz Allen Hamilton); Topic General IT Security; Planning Family Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication; Planning; System & Communication Protection Keywords Web server; Web server security Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-44-Version%202 Final SP 800-45 Version 2 Guidelines on Electronic Mail Security Pub Date 2/1/2007 Abstract This document was developed in furtherance of NIST's statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. The purpose of the publication is to recommend security practices for designing, implementing, and operating email systems on public and private networks. It contains information on popular email encryption standards and other standards relating to email. It presents general information on securing mail servers' operating systems and specific guidance on securing mail server applications, protecting messages traversing servers, and securing access to mailboxes. It also provides information regarding email client security and mail server administration. Authors Tracy, M. (Federal Reserve Information Technology); Jansen, W. (NIST); Scarfone, K. A. (NIST); Butterfield, J. (Booz Allen Hamilton); Topic Communications & Wireless Family Access Control; Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity Keywords E-mail; electronic mail; FISMA Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-45-Version%202 Final SP Cloudburst Security, LLC 800-46 Rev. 1 Guide to Enterprise Telework and Remote Access Security Page 11 of 77 http://www.cloudburstsecurity.com
  • 12. Status Pub Date Final Series Pub# SP 800-46 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title 6/1/2009 Abstract Many organizations employees and contractors use enterprise telework technologies to perform work from external locations. Most teleworkers use remote access technologies to interface with an organization's non-public computing resources. The nature of telework and remote access technologies permitting access to protected resources from external networks and often external hosts as well generally places them at higher risk than similar technologies only accessed from inside the organization, as well as increasing the risk to the internal resources made available to teleworkers through remote access. This publication provides information on security considerations for several types of remote access solutions, and it makes recommendations for securing a variety of telework and remote access technologies. It also gives advice on creating telework security policies. Authors Scarfone, K. A. (NIST); Hoffman, P. (Virtual Private Network Consortium); Souppaya, M. P. (NIST); Topic Authentication; Communications & Wireless; Contingency Planning; General IT Security; Viruses & Malware Family Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Media Protection; Risk Assessment; System & Communication Protection; System & Information Integrity Keywords Mobile device security; remote access; remote access security; telework; telework security; virtual private networking Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Develop Contingency Plans & Procedures Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-46-Rev.%201 Final SP 800-47 Security Guide for Interconnecting Information Technology Systems Pub Date 8/1/2002 Abstract The Security Guide for Interconnecting Information Technology Systems provides guidance for planning, establishing, maintaining, and terminating interconnections between information technology (IT) systems that are owned and operated by different organizations. They are consistent with the requirements specified in the Office of Management and Budget (OMB) Circular A-130, Appendix III, for system interconnection and information sharing. A system interconnection is defined as the direct connection of two or more IT systems for the purpose of sharing data and other information resources. The document describes benefits of interconnecting IT systems, defines the basic components of an interconnection, identifies methods and levels of interconnectivity, and discusses potential security risks. The document then presents a "life-cycle" approach for system interconnections, with an emphasis on security. Four phases are addressed: a) Planning the interconnection: the organizations perform preliminary activities; examine technical, security, and administrative issues; and form an agreement governing the management, operation, and use of the interconnection; b) Establishing the interconnection: the organizations develop and execute a plan for establishing the interconnection, including implementing or configuring security controls; c) Maintaining the interconnection: the organizations maintain the interconnection after it is established to ensure that it operates properly and securely; and d) Disconnecting the interconnection: one or both organizations may terminate the interconnection. The termination should be conducted in a planned manner to avoid disrupting the other party's system. In an emergency, however, one or both organizations may choose to terminate the interconnection immediately. The document provides recommended steps for completing each phase, emphasizing security measures to protect the systems and shared data. The document also contains guides and samples for developing an Interconnection Security Agreement (ISA) and a Memorandum of Understanding/Agreement (MOU/A). The ISA specifies technical and security requirements of the interconnection; the MOU/A defines the responsibilities of the organizations. Finally, the document contains a guide for developing an Implementation Plan to establish the interconnection. Authors Grance, T. (NIST); Hash, J. (NIST); Peck, S. (Booz Allen Hamilton); Smith, J. (Booz Allen Hamilton); Korow-Diks, K. (Booz Allen Hamilton); Topic Certification & Accreditation (C&A); General IT Security; Planning; Risk Assessment Family Certification, Accreditation & Security Assessments Keywords Information systems security; interconnecting systems; IT security; system development life cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-47 Final SP 800-48 Rev. 1 Guide to Securing Legacy IEEE 802.11 Wireless Networks Pub Date 7/1/2008 Abstract The purpose of this document is to provide guidance to organizations in securing their legacy Institute of Electrical and Electronics Engineers (IEEE) 802.11 wireless local area networks (WLAN) that cannot use IEEE 802.11i. The document provides an overview of legacy IEEE 802.11 WLAN standards, components, and architectural models. It discusses the basics of WLAN security and examines the security capabilities provided by legacy IEEE 802.11 standards. The document also discusses threats and vulnerabilities involving legacy IEEE 802.11 WLANs, explains common countermeasures, and makes recommendations for their use. Authors Scarfone, K. A. (NIST); Dicoi, D. (Booz Allen Hamilton); Sexton, M. (Booz Allen Hamilton); Tibbs, C. (Booz Allen Hamilton); Topic Authentication; Communications & Wireless; General IT Security; Planning; Services & Acquisitions Family Access Control; Configuration Management; Identification & Authentication; Planning; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords IEEE 802.11; network security; wireless local area network; wireless networking Cloudburst Security, LLC Page 12 of 77 http://www.cloudburstsecurity.com
  • 13. Status Legal Final Series Pub# SP 800-48 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-48-Rev.%201 Final SP 800-49 Federal S/MIME V3 Client Profile Pub Date 11/1/2002 Abstract The National Institute of Standards and Technology (NIST), Information Technology Laboratory, Computer Security Division, has developed this S/MIME (Secure / Multipurpose Internet Mail Extensions) client profile as guidance in the development and procurement of commercial-off-theshelf (COTS) S/MIME-compliant products. This profile document identifies requirements for a secure and interoperable S/MIME V3 client implementation. NIST is developing tests and testing tools to determine the level of conformance of an S/MIME V3 client implementation with this profile. Authors Chernick, C. M. (NIST); Topic Cryptography; Digital Signatures Family Audit & Accountability; System & Communication Protection Keywords Federal IT profile; interoperability of secure electronic mail; S/MIME profile; secure e-mail standards Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-49 Final SP 800-50 Building an Information Technology Security Awareness and Training Program Pub Date 10/1/2003 Abstract NIST Special Publication 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act (FISMA) of 2002 and the Office of Management and Budget (OMB) Circular A-130, Appendix III.The document identifies the four critical steps in the life cycle of an IT security awareness and training program: 1) awareness and training program design (Section 3); 2) awareness and training material development (Section 4); 3) program implementation (Section 5); and 4) post-implementation (Section 6).The document is a companion publication to NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and PerformanceBased Model. The two publications are complementary - SP 800-50 works at a higher strategic level, discussing how to build an IT security awareness and training program, while SP 800-16 is at a lower tactical level, describing an approach to role-based IT security training. Authors Wilson, M. (NIST); Hash, J. (NIST); Topic Audit & Accountability; Awareness & Training Family Awareness & Training; Contingency Planning; Incident Response Keywords Awareness; certification; design; develop; education; implement; maintain; metrics; training Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Conduct Security Awareness Training Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-50 Final SP 800-51 Rev. 1 Guide to Using Vulnerability Naming Schemes Pub Date 2/1/2011 Abstract This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE). SP 800-51 Revision 1 gives an introduction to both naming schemes and makes recommendations for end-user organizations on using their names. The publication also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings. Authors Waltermire, D. A. (NIST); Scarfone, K. A. (G2, Inc.); Topic Audit & Accountability; General IT Security; Incident Response; Services & Acquisitions Family Audit & Accountability; Configuration Management; Incident Response; Risk Assessment; System & Services Acquisition Keywords Common Configuration Enumeration (CCE); Common Vulnerabilities and Exposures (CVE); security automation; security configuration; Security Content Automation Protocol (SCAP); vulnerability naming; vulnerabilities Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-51-Rev.%201 Draft SP Pub Date Cloudburst Security, LLC 800-52 Rev. 1 Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations 9/24/2013 Page 13 of 77 http://www.cloudburstsecurity.com
  • 14. Status Abstract Draft Series Pub# SP 800-52 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Transport Layer Security (TLS) provides mechanisms to protect sensitive data during electronic dissemination across the Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms, and requires that TLS 1.1 configured with FIPSbased cipher suites as the minimum appropriate secure transport protocol and recommends that agencies develop migration plans to TLS 1.2 by January 1, 2015. This Special Publication also identifies TLS extensions for which mandatory support must be provided and other recommended extensions. Authors Polk, W. T. (NIST); McKay, K. (NIST); Chokhani, S. (CygnaCom Solutions Topic Communications & Wireless; Cryptography; General IT Security; PKI Family System & Communication Protection Keywords information security; network security; SSL; TLS; Transport Layer Security Link Title http://csrc.nist.gov/publications/PubsSPs.html#800-52 Final SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations Pub Date 4/30/2013 Abstract This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and assurance helps to ensure that information technology component products and the information systems built from those products using sound system and security engineering principles are sufficiently trustworthy. Authors Joint Task Force Transformation Initiative (); Topic Audit & Accountability; Authentication; Awareness & Training; Certification & Accreditation (C&A); Communications & Wireless; Contingency Planning; Cryptography; General IT Security; Incident Response; Maintenance; Planning; Risk Assessment; Services & Acquisitions; Viruses & Malware Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords assurance; computer security; FIPS Publication 199; FIPS Publication 200; FISMA; Privacy Act; Risk Management Framework; security controls; security requirements Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-53-Rev.%204 Final SP 800-53 Rev. 3 Recommended Security Controls for Federal Information Systems and Organizations Pub Date 5/1/2010 Abstract The objective of NIST SP 800-53 is to provide a set of security controls that can satisfy the breadth and depth of security requirements levied on information systems and organizations and that is consistent with and complementary to other established information security standards. Revision 3 is the first major update since December 2005 and includes significant improvements to the security control catalog. Authors Joint Task Force Transformation Initiative (); Topic Audit & Accountability; Authentication; Awareness & Training; Certification & Accreditation (C&A); Communications & Wireless; Contingency Planning; Cryptography; General IT Security; Incident Response; Maintenance; Planning; Risk Assessment; Services & Acquisitions; Viruses & Malware Cloudburst Security, LLC Page 14 of 77 http://www.cloudburstsecurity.com
  • 15. Status Family Final Series Pub# SP 800-53 Rev. 3 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords Security controls; risk management framework; security control assurance; security requirements; common controls; security control baselines; managing risk; FISMA Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-53-Rev.%203 Final SP 800-53A Rev. 1 Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans Pub Date 6/1/2010 Abstract Special Publication 800-53A, Revision 1 provides guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 (including updates as of 05-01-2010). NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The updated security assessment guideline incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies and includes security control assessment procedures for both national security and non national security systems. The guideline for developing security assessment plans is intended to support a wide variety of assessment activities in all phases of the system development life cycle including development, implementation, and operation. The important changes described in Special Publication 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. The increased flexibility in the selection of assessment methods, assessment objects, and depth and coverage attribute values empowers organizations to place the appropriate emphasis on the assessment process at every stage in the system development life cycle. Authors Joint Task Force Transformation Initiative (); Topic Audit & Accountability; Certification & Accreditation (C&A) Family Certification, Accreditation & Security Assessments; Program Management; Risk Assessment Keywords FISMA; security controls; risk management; categorization; security assessment plans; assurance requirements; attributes; 800-53 Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-53-A%20Rev.%201 Final SP 800-54 Border Gateway Protocol Security Pub Date 7/1/2007 Abstract This document introduces the Border Gateway Protocol (BGP), explains its importance to the internet, and provides a set of best practices that can help in protecting BGP. Best practices described here are intended to be implementable on nearly all currently available BGP routers. While a number of enhanced protocols for BGP have been proposed, these generally require substantial changes to the protocol and may not interoperate with current BGP implementations. To improve the security of BGP routers, the recommendations listed below are introduced. While the recommendations can contribute to greatly improved BGP security, they are not a complete defense against all threats. Security administrators and decision makers should select and apply these methods based on their unique needs. Authors Kuhn, D. R. (NIST); Sriram, K. (NIST); Montgomery, D. C. (NIST); Topic Communications & Wireless; Planning Family Configuration Management; Planning; System & Communication Protection Keywords BGP; Border Gateway Protocol; computer security; routers Cloudburst Security, LLC Page 15 of 77 http://www.cloudburstsecurity.com
  • 16. Status Legal Final Series Pub# SP 800-54 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-54 Final SP 800-55 Rev. 1 Performance Measurement Guide for Information Security Pub Date 7/1/2008 Abstract This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports. Authors Chew, E. (NIST); Swanson, M. (NIST); Stine, K. M. (NIST); Bartol, N. (); Brown, A. (); Robinson, W. (); Topic Audit & Accountability; Certification & Accreditation (C&A); Maintenance; Planning Family Certification, Accreditation & Security Assessments; Maintenance; Planning; Program Management Keywords Information Security; Metrics; Measures; Security Controls; Performance; Reports Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-55-Rev.%201 Final SP 800-56A Rev. 2 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography Pub Date 5/15/2013 Abstract This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and Menezes-Qu-Vanstone(MQV) key establishment schemes. Authors Barker, E. B. (NIST); Chen, L. (NIST); Roginsky, A. (NIST); Smid, M. E. (Orion Security Solutions); Topic Cryptography Family System & Communication Protection Keywords Diffie-Hellman; elliptic curve cryptography; finite field cryptography; key-agreement; key-confirmation; key derivation; key establishment; keytransport; MQV Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-A%20Rev.1 Final SP 800-56B Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography Pub Date 8/1/2009 Abstract This Recommendation specifies key establishment schemes using integer factorization cryptography, based on ANS X9.44, Key Establishment using Integer Factorization Cryptography, which was developed by the Accredited Standards Committee (ASC) X9, Inc. Authors Barker, E. B. (NIST); Chen, L. (NIST); Regenscheid, A. R. (NIST); Smid, M. E. Topic Cryptography Family System & Communication Protection Keywords Assurances; integer factorization cryptography; key agreement; key confirmation; key derivation; key establishment; key management; key recovery; key transport. Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-B Title Final SP 800-56C Recommendation for Key Derivation through Extraction-then-Expansion Pub Date 11/1/2011 Abstract This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure. Authors Chen, L. (NIST); Topic Cryptography Family System & Communication Protection Keywords Key derivation; extraction; expansion Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-56-C Final SP Pub Date Cloudburst Security, LLC 800-57 Part 1 Rev. Recommendation for Key Management, Part 1: General (Revision 3) 3 7/1/2012 Page 16 of 77 http://www.cloudburstsecurity.com
  • 17. Status Abstract Final Series Pub# SP NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title 800-57 Part 1 Rev. This Recommendation provides cryptographic key management guidance. It consists of three 3 parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Authors Barker, E. B. (NIST); Barker, W. C. (NIST); Burr, W. E. (NIST); Polk, W. T. (NIST); Smid, M. E. (Orion Security Solutions); Topic Authentication; Cryptography; Digital Signatures; PKI; Planning Family Access Control; Audit & Accountability; Contingency Planning; Media Protection; Planning; System & Communication Protection; System & Information Integrity Keywords Assurances; authentication; authorization; availability; backup; compromise; confidentiality; cryptanalysis; cryptographic key; cryptographic module; digital signature; hash function; key agreement; key management; key management policy; key recovery; key transport; originator usage period; private key; public key; recipient usage period; secret key; split knowledge; trust anchor. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-57-Part%201 Final SP 800-57 Part 2 Recommendation for Key Management, Part 2: Best Practices for Key Management Organization Pub Date 8/1/2005 Abstract This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Authors Barker, E. B. (NIST); Barker, W. C. (NIST); Burr, W. E. (NIST); Polk, W. T. (NIST); Smid, M. E. (Orion Security Solutions); Topic Authentication; Cryptography; Digital Signatures; PKI; Planning Family Access Control; Audit & Accountability; Contingency Planning; Media Protection; Planning; System & Communication Protection; System & Information Integrity Keywords Accreditation; certification; cryptographic key; digital signature; key management; key management policy; public key; public key infrastructure; security plan Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-57-Part%202 Final SP 800-57 Part 3 Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance Pub Date 12/1/2009 Abstract This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Authors Barker, E. B. (NIST); Burr, W. E. (NIST); Jones, A. C. (Booz Allen Hamilton); Polk, W. T. (NIST); Rose, S. W. (NIST); Smid, M. E. (Orion Security Solutions); Dang, Q. H. (NIST); Topic Authentication; Cryptography; Digital Signatures; PKI; Planning Family Access Control; Audit & Accountability; Contingency Planning; Media Protection; Planning; System & Communication Protection; System & Information Integrity Keywords Accreditation; assurances; authentication; authorization; availability; backup; certification; compromise; confidentiality; cryptanalysis; cryptographic key; cryptographic module; digital signature; key management; key management policy; key recovery; private key; public key; public key infrastructure; security plan; trust anchor; validation Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-57-Part%203 Final SP 800-58 Security Considerations for Voice Over IP Systems Pub Date 1/1/2005 Abstract Voice over Internet Protocol (VOIP) refers to the transmission of speech across data-style networks. This form of transmission is conceptually superior to conventional circuit switched communication in many ways. However, a plethora of security issues are associated with still-evolving VOIP technology. This publication introduces VOIP, its security challenges, and potential countermeasures for VOIP vulnerabilities. Authors Kuhn, D. R. (NIST); Walsh, T. J. (NIST); Fries, S. (Siemens AG); Topic Communications & Wireless; Services & Acquisitions Family Access Control; Physical & Environmental Protection; Planning; System & Communication Protection Keywords Telecommunications security; Voice Over Internet Protocol; VOIP; vulnerabilities Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-58 Final SP Pub Date Cloudburst Security, LLC 800-59 Guideline for Identifying an Information System as a National Security System 8/1/2003 Page 17 of 77 http://www.cloudburstsecurity.com
  • 18. Status Abstract Final Series Pub# SP 800-59 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This document provides guidelines developed in conjunction with the Department of Defense, including the National Security Agency, for identifying an information system as a national security system. The basis for these guidelines is the Federal Information Security Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide requirements for information security, superseding the Government Information Security Reform Act and the Computer Security Act. In addition to defining the term national security system FISMA amended the NIST Act, at 15 U.SC. 278g-3(b)(3), to require NIST to provide guidelines for identifying an information system as a national security system. As stated in the House Committee report, "This guidance is not to govern such systems, but rather to ensure that agencies receive consistent guidance on the identification of systems that should be governed by national security system requirements" (Report of the Committee on Government Reform, U. S House of Representatives, Report 107-787, November 14, 2002, p. 85). Accordingly, the purpose of these guidelines is not to establish requirements for national security systems, but rather to assist agencies in determining which, if any, of their systems are national security systems as defined by FISMA and are to be governed by applicable requirements for such systems, issued in accordance with law and as directed by the President. The guideline includes definitions of relevant terms, the legal or administrative basis for the definitions, a checklist to be used in determining whether or not a system is a national security system, and guidelines for completion of the checklist. Authors Barker, W. C. (NIST); Topic Certification & Accreditation (C&A) Family Risk Assessment Keywords Computer security; national security systems Legal Federal Information Security Management Act of 2002 (FISMA)/Identification of an Information System as a National Security System; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-59 Final SP 800-60 Rev. 1 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories; Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories Pub Date 8/1/2008 Abstract Title III of the E-Government Act, titled the Federal Information Security Management Act (FISMA) of 2002, tasked NIST to develop (1) standards to be used by all Federal agencies to categorize information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; and (2) guidelines recommending the types of information and information systems to be included in each such category. Special Publication 800-60 was issued in response to the second of these tasks. The revision to Volume I contains the basic guidelines for mapping types of information and information systems to security categories. The appendices contained in Volume I include security categorization recommendations and rationale for missionbased and management and support information types. Authors Stine, K. M. (NIST); Kissel, R. (NIST); Barker, W. C. (NIST); Lee, A. (NIST); Fahlsing, J. (Science Applications International Corporation); Gulick, J. (Science Applications International Corporation); Topic Certification & Accreditation (C&A); Risk Assessment Family Program Management; Risk Assessment Keywords Computer security; cyber security; FISMA; categorization; information type; security category Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-60-Rev.%201 Final SP 800-61 Rev. 2 Computer Security Incident Handling Guide Pub Date 8/1/2012 Abstract Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications. Authors Cichonski, P. (NIST); Millar, T. (Department of Homeland Security); Grance, T. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Incident Response; Maintenance; Risk Assessment; Viruses & Malware Family Incident Response; System & Information Integrity Keywords Computer security incident; incident handling; incident response; threats; vulnerabilities Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-61-Rev.%202 Final SP Pub Date Cloudburst Security, LLC 800-63-2 Electronic Authentication Guideline 8/29/2013 Page 18 of 77 http://www.cloudburstsecurity.com
  • 19. Status Abstract Final Series Pub# SP 800-63-2 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63. Authors Burr, W. E. (NIST); Dodson, D. F. (NIST); Newton, E. M. (NIST); Perlner, R. A. (NIST); Polk, W. T. (NIST); Gupta, S. (Electrosoft Services, Inc.); Nabbus, E. A. (Electrosoft Services, Inc.); Topic Authentication; Cryptography; PKI Family Identification & Authentication Keywords authentication; authentication assurance; credential service provider; electronic authentication; electronic credentials; identity proofing; passwords; PKI; tokens Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63--2 Final SP 800-64 Rev. 2 Security Considerations in the System Development Life Cycle Pub Date 10/1/2008 Abstract The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more costeffective, risk-appropriate security control identification, development, and testing. This guide focuses on the information security components of the System Development Life Cycle (SDLC). Overall system implementation and development is considered outside the scope of this document. Also considered outside scope is an organization’s information system governance process. First, the guideline describes the key security roles and responsibilities that are needed in development of most information systems. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC. Authors Kissel, R. (NIST); Stine, K. M. (NIST); Scholl, M. A. (NIST); Rossman, H. (Science Applications International Corporation); Fahlsing, J. (Science Applications International Corporation); Gulick, J. (Science Applications International Corporation); Topic General IT Security Family Planning; System & Services Acquisition Keywords Computer Security; Cyber Security; FISMA; SDLC; System Development Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-64-Rev.%202 Draft SP 800-65 Rev. 1 Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process Pub Date 7/14/2009 Abstract SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments. Authors Bowen, P. (NIST); Kissel, R. (NIST); Scholl, M. A. (NIST); Robinson, W. (); Stansfield, J. (); Voldish, L. (); Topic Planning; Services & Acquisitions Family Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment; System & Services Acquisition Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-65-Rev.%201 Final SP 800-65 Integrating IT Security into the Capital Planning and Investment Control Process Pub Date 1/1/2005 Abstract Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. In addition, with increased competition for limited federal budgets and resources, agencies must ensure that available funding is applied towards the agencies' highest priority IT security investments. Applying funding towards high-priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-wide and system level, commensurate with levels of risk and data sensitivity. This special publication introduces common criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective manner. Authors Hash, J. (NIST); Bartol, N. (); Rollins, H. (); Robinson, W. (); Abeles, J. (); Batdorff, S. (); Topic Services & Acquisitions Family Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment; System & Services Acquisition Keywords Capital planning and investment control; CPIC; FISMA; IT security investments Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-65 Final SP Pub Date Cloudburst Security, LLC 800-66 Rev. 1 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 10/1/2008 Page 19 of 77 http://www.cloudburstsecurity.com
  • 20. Status Abstract Final Series Pub# SP 800-66 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Special Publication 800-66 Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Probability and Accountability Act (HIPAA) Security Rule, which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Seucurity Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out itn the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. Authors Scholl, M. A. (NIST); Stine, K. M. (NIST); Hash, J. (NIST); Bowen, P. (NIST); Johnson, L. A. (NIST); Smith, C. D. (); Steinberg, D. I. (); Topic Awareness & Training; Services & Acquisitions Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Contingency Planning; Identification & Authentication; Incident Response; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords Information Security; Healthcare; HIPAA; security Rule Legal Health Insurance Portability and Accountability Act (HIPAA)/Standardize Electronic Data Interchange in Health Care Transactions Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-66-Rev.%201 Final SP 800-67 Rev. 1 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher Pub Date 1/1/2012 Abstract This publication specifies the Triple Data Encryption Algorithm (TDEA), including its primary component cryptographic engine, the Data Encryption Algorithm (DEA). When implemented in an SP 800-38-series-compliant mode of operation and in a FIPS 140-2-compliant cryptographic module, TDEA may be used by Federal organizations to protect sensitive unclassified data. Protection of data during transmission or while in storage may be necessary to maintain the confidentiality and integrity of the information represented by the data. This Recommendation defines the mathematical steps required to cryptographically protect data using TDEA and to subsequently process such protected data. TDEA is made available for use by Federal agencies within the context of a total security program consisting of physical security procedures, good information management practices, and computer system/network access controls. Authors Barker, W. C. (NIST); Barker, E. B. (NIST); Topic Cryptography Family System & Communication Protection Keywords Block cipher; computer security; cryptography; data encryption algorithm; security; triple data encryption algorithm Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-67-Rev.%201 Final SP 800-68 Rev. 1 Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist Pub Date 10/1/2008 Abstract This publication assists IT professionals in securing Windows XP workstations, mobile computers, and computers used by telecommuters within various environments. The recommendations are specifically intended for Windows XP Professional systems running Service Pack 2 or 3. SP 80068 Revision 1 provides detailed information about the security features of Windows XP and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of Windows XP systems in five types of environments: small office/home office, enterprise, specialized security-limited functionality, legacy, and Federal Desktop Core Configuration (FDCC). Authors Scarfone, K. A. (NIST); Souppaya, M. P. (NIST); Johnson, P. M. (Booz Allen Hamilton); Topic Audit & Accountability; Authentication; Maintenance Family Access Control; Audit & Accountability; Configuration Management; Identification & Authentication; Maintenance; System & Communication Protection; System & Information Integrity; System & Communication Protection Keywords Federal Desktop Core Configuration; host security; Windows security; Windows XP security Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-68-Rev.%201 Final SP 800-69 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist Pub Date 9/1/2006 Abstract The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. This publication seeks to assist information technology (IT) professionals who may be responsible for securing Windows XP Home Edition computers within home offices for their organizations. Portions of the publication can also be used by home users, such as telecommuting Federal civilian agency employees and private sector organizations or individuals, to secure their personal Windows XP Home Edition computers from common threats such as malware and to keep their computers secure. Authors Kent, K. (NIST); Souppaya, M. P. (NIST); Connor, J. (Booz Allen Hamilton); Topic Maintenance Keywords Microsoft Windows; telecommuting; Windows XP; Windows XP Home Edition Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-69 Final SP Cloudburst Security, LLC 800-70 Rev. 2 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers Page 20 of 77 http://www.cloudburstsecurity.com
  • 21. Status Pub Date Final Series Pub# SP 800-70 Rev. 2 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title 2/1/2011 Abstract Special Publication 800-70 Revision 2, National Checklist Program for IT Products Guidelines for Checklist Users and Developers, describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 2 updates the previous version of the document, which was released in 2009, primarily by adding additional SCAP-oriented guidance and content related to the United States Government Configuration Baseline (USGCB). Authors Quinn, S. D. (NIST); Souppaya, M. P. (NIST); Cook, M. (G2, Inc.); Scarfone, K. A. (G2, Inc.); Topic Security Automation Family Configuration Management; System & Communication Protection Keywords Checklists; baseline; security configuration; security measurement; vulnerability measurement; vulnerability scoring Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-70-Rev.%202 Final SP 800-72 Guidelines on PDA Forensics Pub Date 11/1/2004 Abstract Forensic specialists periodically encounter unusual devices and new technologies normally not envisaged as having immediate relevance from a digital forensics perspective. The objective of the guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with Personal Digital Assistants (PDAs), and to prepare forensic specialists to deal with new situations when they are encountered. This guide provides an in-depth look into PDAs and explains associated technologies and their impact on the procedures for forensic specialists. It covers the characteristics of three families of devices: Pocket PC, Palm OS, and Linux based PDAs and the relevance of various operating systems associated. Authors Jansen, W. (NIST); Ayers, R. P. (NIST); Topic Forensics Family Audit & Accountability; Identification & Authentication; Media Protection Keywords Computer forensics; digital evidence; mobile device security Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-72 Final SP 800-73-3 Interfaces for Personal Identity Verification Pub Date 2/1/2010 Abstract FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, defines procedures for the PIV lifecycle activities including identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201 also specifies that the identity credentials must be stored on a smart card. SP 800-73-3 contains the technical specifications to interface with the smart card to retrieve and use the identity credentials. The specifications reflect the design goals of interoperability and PIV Card functions. The goals are addressed by specifying a PIV data model, card edge interface, and application programming interface. Moreover, SP 800-73-3 enumerates requirements where the standards include options and branches. Authors Chandramouli, R. (NIST); Cooper, D. A. (NIST); Dray, J. F. (NIST); Ferraiolo, H. (NIST); Guthery, S. B. (HID Global); MacGregor, W. I. (NIST); Mehta, K. (Booz Allen Hamilton); Topic Authentication; Biometrics; Cryptography; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection Keywords HSPD-12; PIV; PACS; FIPS 201; PIV authentication mechanisms; Smart Card Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-73--3 Draft SP 800-73-4 Interfaces for Personal Identity Verification Pub Date 5/13/2013 Abstract FIPS 201 defines the requirements and characteristics of a government-wide interoperable identity credential. FIPS 201 also specifies that this identity credential must be stored on a smart card. This document, SP 800-73, contains the technical specifications to interface with the smart card to retrieve and use the PIV identity credentials. The specifications reflect the design goals of interoperability and PIV Card functions. The goals are addressed by specifying a PIV data model, card edge interface, and application programming interface. Moreover, this document enumerates requirements where the international integrated circuit card standards [ISO7816] include options and branches. The specifications go further by constraining implementers’ interpretations of the normative standards. Such restrictions are designed to ease implementation, facilitate interoper ability, and ensure performance, in a manner tailored for PIV applications. Authors Chandramouli, R. (NIST); Cooper, D. A. (NIST); Ferraiolo, H. (NIST); Francomacaro, S. (NIST); Mehta, K. (NIST); Mohler, J. (Electrosoft Services, Inc.); Topic Authentication; Biometrics; Cryptography; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection Cloudburst Security, LLC Page 21 of 77 http://www.cloudburstsecurity.com
  • 22. Status Keywords Draft Series Pub# SP 800-73-4 Title authentication; FIPS 201; identity credential; logical access control; on-card biometric comparison; Personal Identity Verification (PIV); physical access control; smart cards; secure messaging Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Legal Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsDrafts.html#800-73-4 Final SP 800-76-1 Biometric Data Specification for Personal Identity Verification Pub Date 1/1/2007 Abstract This document, Special Publication 800-76, is a companion document to FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors. It describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card itself. It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards. The primary design objective behind these particular specifications is high performance universal interoperability. For the preparation of biometric data suitable for the Federal Bureau of Investigation (FBI) background check, SP 800-76 references FBI documentation, including the ANSI/NIST Fingerprint Standard and the Electronic Fingerprint Transmission Specification. This document does not preclude use of other biometric modalities in conjunction with the PIV card. Authors Wilson, C. L. (NIST); Grother, P. J. (NIST); Chandramouli, R. (NIST); Topic Biometrics; Personal Identity Verification (PIV) Family Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Physical & Environmental Protection; System & Services Acquisition Keywords Conformance Test; SP 800-73; Personal Identity Verification; Derived Test Requirement; Test Assertions Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-76--1 Final SP 800-76-2 Biometric Specifications for Personal Identity Verification Pub Date 7/11/2013 Abstract Homeland Security Presidential Directive HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors [HSPD12], called for new standards to be adopted governing interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) standard for Federal Employees and Contractors, Federal Information Processing Standard Personal Identity Verification (PIV) of Federal Employees and Contractors (FIPS 201), was developed to define procedures and specifications for issuance and use of an interoperable identity credential. This document, Special Publication 800-76 (SP 800-76), is a companion document to FIPS 201. It describes technical acquisition and formatting specifications for the PIV system, including the PIV Card itself. It also establishes minimum accuracy specifications for deployed biometric authentication processes. The approach is to enumerate procedures and formats for collection and preparation of fingerprint, iris and facial data, and to restrict values and practices included generically in published biometric standards. The primary design objective behind these particular specifications is to enable high performance and universal interoperability. The introduction of iris and face specifications into the current edition adds alternative modalities for biometric authentication and extends coverage to persons for whom fingerprinting is problematic. The addition of on-card comparison offers an alternative to PIN-mediated card activation as well as an additional authentication method. Authors Grother, P. J. (NIST); Salamon, W. (NIST); Chandramouli, R. (NIST) Topic Biometrics; Personal Identity Verification (PIV) Family Access Control; Certification, Accreditation & Security Assessments; Identification & Authentication; Physical & Environmental Protection; System & Services Acquisition Keywords biometrics; credentials; identity management Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-76--2 Final SP Pub Date Cloudburst Security, LLC 800-77 Guide to IPsec VPNs 12/1/2005 Page 22 of 77 http://www.cloudburstsecurity.com
  • 23. Status Abstract Final Series Pub# SP 800-77 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title IPsec is a framework of open standards for ensuring private communications over public networks. It has become the most common network layer security control, typically used to create a virtual private network (VPN). A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and control information transmitted between networks. VPNs are used most often to protect communications carried over public networks such as the Internet. A VPN can provide several types of data protection, including confidentiality, integrity, data origin authentication, replay protection and access control. Although VPNs can reduce the risks of networking, they cannot totally eliminate them. This document discusses the need for network layer security and introduces the concept of virtual private networking (VPN). It covers the fundamentals of IPsec, focusing on its primary components: the Encapsulating Security Payload (ESP), the Authentication Header (AH), and the Internet Key Exchange (IKE). It describes issues to be considered during IPsec planning and implementation. It also discusses several alternatives to IPsec and describes when each method may be appropriate. Several case studies are presented, that show how IPsec could be used in various scenarios. It ends with a brief discussion of future directions for IPsec. The document contains an IPsecrelated bibliography and lists of print and online resources and tools that may be useful for IPsec planning and implementation. Authors Frankel, S. E. (NIST); Kent, K. (Booz Allen Hamilton); Lewkowski, R. (Booz Allen Hamilton); Orebaugh, A. D. (Booz Allen Hamilton); Ritchey, R. W. (Booz Allen Hamilton); Sharma, S. R. (Booz Allen Hamilton); Topic Communications & Wireless Family Access Control; Identification & Authentication; Maintenance; System & Communication Protection Keywords IPsec; network security; virtual private network; VPN Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-77 Final SP 800-78-3 Cryptographic Algorithms and Key Sizes for Personal Identification Verification Pub Date 12/1/2010 Abstract This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, as well as the supporting infrastructure specified in FIPS 201 and the related Special Publication 800-73, Interfaces for Personal Identity Verification, and SP 800-76, Biometric Data Specification for Personal Identity Verification, that rely on cryptographic functions. Authors Polk, W. T. (NIST); Dodson, D. F. (NIST); Burr, W. E. (NIST); Ferraiolo, H. (NIST); Cooper, D. A. (NIST); Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection Keywords PIV; FIPS 201; HSPD-12; Cryptography; digital signature; authentication; Personal Identity Verification; PIV Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-78--3 Draft SP 800-78-4 Cryptographic Algorithms and Key Sizes for Personal Identity Verification Pub Date 5/13/2013 Abstract Federal Information Processing Standard 201 (FIPS 201) defines requirements for the PIV lifecycle activities including identity proofing, registration, PIV Card issuance, and PIV Card usage. FIPS 201 also defines the structure of an identity credential that includes cryptographic keys. This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201 as well as the supporting infrastructure specified in FIPS 201 and the related Special Publication 800-73,Interfaces for Personal Identity Verification [SP800-73], and SP 800-76,Biometric Data Specification for Personal Identity Verification [SP800-76], that rely on cryptographic functions. Authors Polk, W. T. (NIST); Dodson, D. F. (NIST); Burr, W. E. (NIST); Ferraiolo, H. (NIST); Cooper, D. A. (NIST); Topic Authentication; Cryptography; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication; Physical & Environmental Protection; System & Communication Protection Keywords cryptographic algorithm; FIPS 201; identity credential; Personal Identity Verification (PIV); smart cards Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsDrafts.html#800-78-4 Final SP Pub Date Cloudburst Security, LLC 800-79-1 Guidelines for the Accreditation of Personal Identity Verification Card Issuers 6/1/2008 Page 23 of 77 http://www.cloudburstsecurity.com
  • 24. Status Abstract Final Series Pub# SP 800-79-1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The purpose of this publication is to provide appropriate and useful guidelines for accrediting the reliability of issuers of Personal Identity Verification cards that are established to collect, store, and disseminate personal identity credentials and issue smart cards, based on the standards published in response to Homeland Security Presidential Directive 12 (HSPD-12). These issuers, who are the target of assessment and accreditation, are called Personal Identity Verification Card Issuers or PCIs. The reliability of PCIs is of utmost importance when one organization (e.g., a Federal agency or Federal contractor) is required to trust the identity credentials and cards of individuals that were created and issued, respectively, by another organization. This trust will only exist if organizations relying on the credentials and cards issued by a given organization have the necessary level of assurance that the reliability of the issuing organization has been established through a formal accreditation process. This publication provides an assessment and accreditation methodology for verifying that issuers of PIV credentials and cards are reliably adhering to standards and implementation directives developed under HSPD-12. Authors Chandramouli, R. (NIST); Bailey, D. (Electrosoft Services, Inc.); Ghadiali, N. (); Branstad, D. K. (NIST); Topic Personal Identity Verification (PIV); Services & Acquisitions Family Certification, Accreditation & Security Assessments Keywords Accreditation; credentials; HSPD-12; PCI; Personal Identity Verification; PIV; security assessment Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-79--1 Final SP 800-81-2 Secure Domain Name System (DNS) Deployment Guide Pub Date 9/13/2013 Abstract The Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-friendly domain names rather than IP addresses, by translating domain names to IP addresses and back. The DNS infrastructure is made up of computing and communication entities called Name Servers each of which contains information about a small portion of the domain name space. The domain name data provided by DNS is intended to be available to any computer located anywhere in the Internet.This document provides deployment guidelines for securing DNS within an enterprise. Because DNS data is meant to be public, preserving the confidentiality of DNS data. The primary security goals for DNS are data integrity and source authentication, which are needed to ensure the authenticity of domain name information and maintain the integrity of domain name information in transit. This document provides extensive guidance on maintaining data integrity and performing source authentication. DNS components are often subjected to denial-of-service attacks intended to disrupt access to the resources whose domain names are handled by the attacked DNS components. This document presents guidelines for configuring DNS deployments to prevent many denial-of-service attacks that exploit vulnerabilities in various DNS components. Authors Chandramouli, R. (NIST); Rose, S. W. (NIST); Topic Communications & Wireless; Planning Family Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Planning; System & Communication Protection Keywords Authoritative Name Server; Caching Name Server; Domain Name System (DNS); DNS Query/Response; DNS Security Extensions (DNSSEC); Resource Record (RR); Trust Anchor; Validating Resolver Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-81--2 Final SP 800-81 Rev. 1 Secure Domain Name System (DNS) Deployment Guide Pub Date 4/1/2010 Abstract This document provides deployment guidelines for securing the Domain Name System (DNS) in any enterprise a government agency or a corporate entity. The deployment guidelines follow from an analysis of security objectives and consequent protection approaches for all DNS components. This document was originally published in May 2006. Since then the following IETF RFCs , FIPS and NIST Cryptographic guidance documents have been published and this revision takes into account the specifications and recommendations found in those documents DNNSEC Operational Practices (RFC 4641), Automated Updates for DNS Security (DNSSEC) Trust Anchors (RFC 5011), DNS Security (DNSSEC)Hashed Authenticated Denial of Existence (RFC 5155), HMAC SHA TSIG Algorithm Identifiers (RFC 4635), The Keyed-Hash Message Authentication Code (HMAC) (FIPS 198-1), Digital Signature Standard (FIPS 186-3) and Recommendations for Key Management (SP 800-57P1 & SP 800-57P3). In addition this revision provides illustrations of Secure configuration examples using DNS Software offering NSD, in addition to BIND, guidelines on Procedures for migrating to a new Cryptographic Algorithm for signing of the Zone (Section 11.5), guidelines for Procedures for migrating to NSEC3 specifications from NSEC for providing authenticated denial of existence (Section 11.6) and deployment guidelines for Split-Zone under different scenarios (Section 11.7). Authors Chandramouli, R. (NIST); Rose, S. W. (NIST); Topic Communications & Wireless; Planning Family Access Control; Configuration Management; Contingency Planning; Identification & Authentication; Planning; System & Communication Protection Keywords Checklists; denial of service; DNS; DNS Security Extensions; DNSSEC; Domain Name System; information system security; Internet Protocol (IP); risks; vulnerabilities Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-81-Rev.%201 Final SP Pub Date Cloudburst Security, LLC 800-82 Rev. 1 Guide to Industrial Control Systems (ICS) Security 5/14/2013 Page 24 of 77 http://www.cloudburstsecurity.com
  • 25. Status Abstract Final Series Pub# SP 800-82 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Authors Stouffer, K. A. (NIST); Falco, J. A. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Cyber-Physical Systems & Smart Grid; Risk Assessment Keywords computer security; distributed control systems (DCS); industrial control systems (ICS); information security; network security; programmable logic controllers (PLC); risk management; security controls; supervisory control and data acquisition (SCADA) systems Legal Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-82-Rev.%201 Final SP 800-83 Rev. 1 Guide to Malware Incident Prevention and Handling for Desktops and Laptops Pub Date 7/22/2013 Abstract Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Authors Souppaya, M. P. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Incident Response; Maintenance; Viruses & Malware Family Access Control; Audit & Accountability; Configuration Management; Contingency Planning; Incident Response; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords incident response; information security; malware Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-83-Rev.%201 Final SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities Pub Date 9/1/2006 Abstract The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. This publication seeks to assist organizations in designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events in an effort to aid personnel in preparing for adverse situations involving information technology (IT). The events are designed to train personnel, exercise IT plans, and test IT systems, so that an organization can maximize its ability to prepare for, respond to, manage, and recover from disasters that may affect its mission. The guide describes the design, development, conduct, and evaluation of events for single organizations, as opposed to large-scale events that may involve multiple organizations. Authors Grance, T. (NIST); Nolan, T. (Booz Allen Hamilton); Burke, K. (Booz Allen Hamilton); Dudley, R. (Booz Allen Hamilton); White, G. (University of Texas-San Antonio); Good, T. (University of Texas-San Antonio); Topic Certification & Accreditation (C&A); Contingency Planning; Incident Response; Maintenance; Risk Assessment Keywords Contingency plan; exercise; FISMA; incident response plan; test; training and exercise Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-84 Final SP 800-85A-2 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance) Pub Date 7/1/2010 Abstract The objective of this document is to provide test requirements and test assertions that could be used to validate the compliance/conformance of two PIV components: PIV middleware and PIV card application with the specification in NIST SP 800-73-3, Interfaces for Personal Identity Verification. Authors Chandramouli, R. (NIST); Ferraiolo, H. (NIST); Mehta, K. (Booz Allen Hamilton); Topic Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards Family Certification, Accreditation & Security Assessments; System & Information Integrity; System & Services Acquisition Keywords PIV; HSPD-12; Smart Cards; Identity Management; Testing; SP 800-73-3 Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-A-2 Draft SP Pub Date Cloudburst Security, LLC 800-85B-1 PIV Data Model Test Guidelines 9/1/2009 Page 25 of 77 http://www.cloudburstsecurity.com
  • 26. Status Abstract Draft Series Pub# SP 800-85B-1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title A robust testing framework and guidelines to provide assurance that a particular component or system is compliant with FIPS201 and supporting standards should exist to build the necessary PIV infrastructure to support common unified processes and systems for government-wide use. NIST developed test guidelines in two parts. The first part addresses test requirements for the interface to the PIV card, which are provided in NIST Special Publication 800-85 (SP80085A). The second part provides test requirements for the PIV data model and is provided in this document. This document specifies the derived test requirements, and the detailed test assertions and conformance tests for testing the PIV data model. Authors Chandramouli, R. (NIST); Ferraiolo, H. (NIST); Founds, A. P. (); Ghadiali, N. (); Mehta, K. (Booz Allen Hamilton); Simon, D. (); Uzamere II, P. A. (); Topic Personal Identity Verification (PIV); Services & Acquisitions Family Certification, Accreditation & Security Assessments; System & Information Integrity; System & Services Acquisition Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-B-1 Final SP 800-85B PIV Data Model Test Guidelines Pub Date 7/1/2006 Abstract In order to build the necessary PIV infrastructure to support common unified processes and government-wide use of identity credentials, NIST developed this test guidance document that ensures interoperability of PIV data. This document provides test requirements for the PIV data model. This test guidance document specifies the test plan, processes, derived test requirements, and the detailed test assertions / conformance tests for testing the PIV data model. Authors Chandramouli, R. (NIST); Mehta, K. (Mehta, Inc.); Uzamere II, P. A. (); Simon, D. (); Ghadiali, N. (); Founds, A. P. (); Topic Personal Identity Verification (PIV); Services & Acquisitions Family Certification, Accreditation & Security Assessments; System & Information Integrity; System & Services Acquisition Keywords Personal Identity Verification; PIV Card; HSPD-12; FIPS 201; PIV Data Model Testing; Smart Card Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-85-B Final SP 800-86 Guide to Integrating Forensic Techniques into Incident Response Pub Date 8/1/2006 Abstract This publication is intended to help organizations in investigating computer security incidents and troubleshooting some information technology (IT) operational problems by providing practical guidance on performing computer and network forensics. The guide presents forensics from an IT view, not a law enforcement view. Specifically, the publication describes the processes for performing effective forensics activities and provides advice regarding different data sources, including files, operating systems (OS), network traffic, and applications. The publication is not to be used as an all-inclusive step-by-step guide for executing a digital forensic investigation or construed as legal advice. Its purpose is to inform readers of various technologies and potential ways of using them in performing incident response or troubleshooting activities. Readers are advised to apply the recommended practices only after consulting with management and legal counsel for compliance concerning laws and regulations (i.e., local, state, Federal, and international) that pertain to their situation. Authors Kent, K. (NIST); Chevalier, S. (Booz Allen Hamilton); Grance, T. (NIST); Dang, H. (Booz Allen Hamilton); Topic Forensics; Incident Response Family Audit & Accountability; Configuration Management; Contingency Planning; Identification & Authentication; Media Protection; Physical & Environmental Protection; System & Information Integrity Keywords FISMA; Forensics; Incident Response Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-86 Title Final SP 800-87 Rev. 1 Codes for Identification of Federal and Federally-Assisted Organizations Pub Date 4/1/2008 Abstract The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) for Federal Employees and Contractors, (Federal Information Processing Standard 201 (FIPS 201)) was developed to establish standards for identity credentials. This document, Special Publication 800-87 (SP 800-87), provides the organizational codes necessary to establish the PIV Federal Agency Smart Credential Number (PIV FASC-N) that is required to be included in the FIPS 201 Card Holder Unique Identifier (CHUID) and is a companion document to FIPS 201. Authors Barker, W. C. (NIST); Ferraiolo, H. (NIST); Topic Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication Keywords HSPD-12; PIV; PACS; FIPS 201; identity credentials; Smart Card; personal identification verification Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-87-Rev.%201 Draft SP Pub Date Cloudburst Security, LLC 800-88 Rev. 1 Guidelines for Media Sanitization 9/6/2012 Page 26 of 77 http://www.cloudburstsecurity.com
  • 27. Status Abstract Draft Series Pub# SP 800-88 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title SP 800-88 discussed methods, techniques and best practices for the sanitization of target data on different media types and risk based approaches organizations can apply to establish and maintain a media sanitization program. Authors Kissel, R. (NIST); Scholl, M. A. (NIST); Skolochenko, S. (NIST); Li, X. (NIST); Topic Certification & Accreditation (C&A); Forensics; General IT Security; Maintenance; Risk Assessment Family Maintenance; Media Protection; Risk Assessment Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-88-Rev.%201 Final SP 800-88 Guidelines for Media Sanitization Pub Date 9/11/2006 Abstract Information systems capture, process, and store information using a wide variety of media. This information is located not only on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information created, processed, and stored by an information technology (IT) system throughout its life, from inception through disposition, is a primary concern of an information system owner and the custodian of the data. With the more prevalent use of increasingly sophisticated encryption, an attacker wishing to gain access to an organization?s sensitive information is forced to look outside the system itself for that information. One avenue of attack is the recovery of supposedly deleted data from media. These residual data may allow unauthorized individuals to reconstruct data and thereby gain access to sensitive information. Sanitization can be used to thwart this attack by ensuring that deleted data cannot be easily recovered. When storage media are transferred, become obsolete, or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical, electrical, or other representation of data that has been deleted is not easily recoverable. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed. This guide will assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information. Authors Kissel, R. (NIST); Scholl, M. A. (NIST); Skolochenko, S. (NIST); Li, X. (NIST); Topic Certification & Accreditation (C&A); Forensics; General IT Security; Maintenance; Risk Assessment Family Maintenance; Media Protection; Risk Assessment Keywords Information disposal; media disposal; media sanitization; storage security; purge, sanitization Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-88 Final SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications Pub Date 11/1/2006 Abstract Entities participating in the generation or verification of digital signatures depend on the authenticity of the process. This Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the private key, and assurance of the identity of the key pair owner. Authors Barker, E. B. (NIST); Topic Authentication; Digital Signatures; PKI Family Audit & Accountability; Planning; System & Communication Protection Keywords assurance; Certification Authority; digital signatures; timestamp token; Trusted Timestamp Authority Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-89 Draft SP 800-90A Rev. 1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators Pub Date 9/9/2013 Abstract This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods provided are based on either hash functions, block cipher algorithms or number theoretic problems. Authors Barker, E. B. (NIST); Kelsey, J. M. (NIST); Topic Cryptography Family System & Communication Protection Keywords deterministic random bit generator (DRBG); entropy; hash function; random number generator Link Title http://csrc.nist.gov/publications/PubsSPs.html#800-90ABC Final SP Pub Date Cloudburst Security, LLC 800-90A Recommendation for Random Number Generation Using Deterministic Random Bit Generators 1/1/2012 Page 27 of 77 http://www.cloudburstsecurity.com
  • 28. Status Abstract Final Series Pub# SP 800-90A NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods provided are based on either hash functions, block cipher algorithms or number theoretic problems. Authors Barker, E. B. (NIST); Kelsey, J. M. (NIST); Topic Cryptography Family System & Communication Protection Keywords deterministic random bit generator (DRBG); entropy; hash function; random number generator Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-90-A Draft SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation Pub Date 9/9/2013 Abstract This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators, as specified in SP 800-90C. Authors Barker, E. B. (NIST); Kelsey, J. M. (NIST); Topic Cryptography Family System & Communication Protection Keywords deterministic random bit generator (DRBG); entropy; hash function; random number generator; noise source; entropy source; conditioning component J58 Link Title http://csrc.nist.gov/publications/PubsSPs.html#800-90ABC Draft SP 800-90C Recommendation for Random Bit Generator (RBG) Constructions Pub Date 9/9/2013 Abstract SP 800-90C specifies constructions for the implementation of random bit generators (RBGs). An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bitgenerator (NRBG). The constructed RBGs consist of DRBG mechanisms as specified SP 800-90A and entropy sources as specified in SP 800-90B. Authors Barker, E. B. (NIST); Kelsey, J. M. (NIST); Topic Cryptography Family System & Communication Protection Keywords deterministic random bit generator (DRBG), entropy, entropy source, nondeterministic random bit generator (NRBG), random number generator, source of entropy input Link Title http://csrc.nist.gov/publications/PubsSPs.html#800-90ABC Final SP 800-92 Guide to Computer Security Log Management Pub Date 9/1/2006 Abstract The National Institute of Standards and Technology (NIST) developed this doocument in furtherance of its statutory responsibilities under the Federal Information security Management Act (FISMA) of 2002, Public Law 107-347. This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. The guidance in this publication covers several topics, including establishing log management infrastuctures, and developing and performing robust log management processes throughout an organization. The publication presents logging technologies from a high-level viewpoint, and it is not a step-by-step guide to implementing or using logging technologies. Authors Kent, K. (NIST); Souppaya, M. P. (NIST); Topic Audit & Accountability Family Audit & Accountability; Incident Response; Media Protection; Physical & Environmental Protection; System & Information Integrity Keywords computer security log management; FISMA; log management Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-92 Final SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS) Pub Date 2/1/2007 Abstract The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. This publication seeks to assist organizations in understanding intrusion detection system (IDS) and intrusion prevention system (IPS) technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention systems (IDPS). It provides practical, real-world guidance for each of four classes of IDPS: network-based, wireless, network behavior analysis software, and host-based. The publication also provides an overview of complementary technologies that can detect intrusions, such as security information and event management software. It focuses on enterprise IDPS, but most of the information in the publication is also applicable to standalone and small-scale IDPS deployments. Authors Scarfone, K. A. (NIST); Mell, P. M. (NIST); Topic Audit & Accountability; Forensics; Incident Response; Planning Family Audit & Accountability; Incident Response; Planning Keywords FISMA; intrusion detection; intrusion detection and prevention; intrusion prevention Cloudburst Security, LLC Page 28 of 77 http://www.cloudburstsecurity.com
  • 29. Status Legal Final Series Pub# SP 800-94 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-94 Draft SP 800-94 Rev. 1 Guide to Intrusion Detection and Prevention Systems (IDPS) Pub Date 7/25/2012 Abstract Intrusion detection and prevention systems (IDPS) are focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Authors Scarfone, K. A. (Scarfone Cybersecurity); Mell, P. M. (NIST); Topic Audit & Accountability; Forensics; Incident Response; Planning Family Audit & Accountability; Incident Response; Planning Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-94-Rev.%201 Final SP 800-95 Guide to Secure Web Services Pub Date 8/1/2007 Abstract The advance of Web services technologies promises to have far-reaching effects on the Internet and enterprise networks. Web services based on the eXtensible Markup Language (XML), SOAP, and related open standards, and deployed in Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and ad hoc connections. The security challenges presented by the Web services approach are formidable and unavoidable. Many of the features that make Web services attractive, including greater accessibility of data, dynamic application-to-application connections, and relative autonomy are at odds with traditional security models and controls. Ensuring the security of Web services involves augmenting traditional security mechanisms with security frameworks based on use of authentication, authorization, confidentiality, and integrity mechanisms. This document describes how to implement those security mechanisms in Web services. It also discusses how to make Web services and portal applications robust against the attacks to which they are subject. Authors Singhal, A. (NIST); Winograd, T. (Booz Allen Hamilton); Scarfone, K. A. (NIST); Topic General IT Security; Planning; Research Family Planning; System & Communication Protection Keywords Application security; Web services Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-95 Final SP 800-96 PIV Card to Reader Interoperability Guidelines Pub Date 9/1/2006 Abstract The purpose of this document is to present recommendations for Personal Identity Verification (PIV) card readers in the area of performance and communications characteristics to foster interoperability. This document is not intended to re-state or contradict requirements specifically identified in Federal Information Processing Standard 201 (FIPS 201) or its associated documents. It is intended to augment existing standards to enable agencies to achieve the interoperability goal of Homeland Security Presidential Directive 12 (HSPD-12). The document provides requirements that facilitate interoperability between any card and any reader. Specifically, the recommendations are for end-point cards and readers designed to read end-point cards. Cloudburst Security, LLC Page 29 of 77 http://www.cloudburstsecurity.com
  • 30. Status Authors Final Series Pub# SP 800-96 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Dray, J. F. (NIST); Giles, A. (General Services Administration); Kelley, M. (BearingPoint); Chandramouli, R. (NIST); Topic Personal Identity Verification (PIV); Smart Cards Family Access Control; Identification & Authentication; Physical & Environmental Protection Keywords Personal Identity Verification; PIV Card; PIV Card Reader; HSPD-12; FIPS 201 Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-96 Final SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i Pub Date 2/1/2007 Abstract This report provides readers with a detailed explanation of next generation 802.11 wireless security. It describes the inherently flawed Wired Equivalent Privacy (WEP) and explains 802.11i's two-step approach (interim and long-term)to providing effective wireless security. It describes secure methods used to authenticate users in a wireless environment, and presents several sample case studies of wireless deployment. It also includes guidance on best practices for establishing secure wireless networks using the emerging Wi-Fi technology. Authors Frankel, S. E. (NIST); Eydt, B. (Booz Allen Hamilton); Owens, L. (Booz Allen Hamilton); Scarfone, K. A. (NIST); Topic Communications & Wireless; Services & Acquisitions Family Access Control; Identification & Authentication; System & Communication Protection; System & Services Acquisition Keywords IEEE 802.11; network security; Wi-Fi; wireless local area network; wireless networking Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-97 Final SP 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems Pub Date 4/1/2007 Abstract This publication seeks to assist organizations in understanding the risks of RFID technology and security measures to mitigate those risks. It provides practical, real-world advice on how to initiate, design, implement and operate RFID systems in a manner that mitigates security and privacy risks. The document also provides background information on RFID applications, standards, and system components to assist in the understanding of RFID security risks and controls. This document presents information that is independent of particular hardware platforms, operating systems, and applications. The emphasis is on RFID systems that are based on industry and international standards, although the existence of proprietary approaches is noted when they offer relevant security features not found in current standards. Authors Karygiannis, A. T. (NIST); Eydt, B. (Booz Allen Hamilton); Barber, G. (Booz Allen Hamilton); Bunn, L. (Booz Allen Hamilton); Phillips, T. (Booz Allen Hamilton); Topic Communications & Wireless; Planning Family Identification & Authentication; Physical & Environmental Protection; System & Communication Protection; System & Services Acquisition Keywords Radio Frequency Identification; RFID; Security; Privacy Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-98 Final SP 800-100 Information Security Handbook: A Guide for Managers Pub Date 3/7/2007 Abstract This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision making process for developing an information security program. National Institute of Standards and Technology (NIST) Interagency Report (IR) 7298, Glossary of Key Information Security Terms, provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements. Authors Bowen, P. (NIST); Hash, J. (NIST); Wilson, M. (NIST); Topic General IT Security Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords Awareness; capital planning; certification; configuration management; contingency plan; incident response; interconnecting systems; performance measures; risk management; security governance; security plans; security services; system development life cycle; training Cloudburst Security, LLC Page 30 of 77 http://www.cloudburstsecurity.com
  • 31. Status Legal Series Pub# Title Final SP 800-100 OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation Draft SP 800-101 Rev. 1 Guidelines on Mobile Device Forensics Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsSPs.html#SP-800-100 Pub Date 9/4/2013 Abstract Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an indepth look into mobile devices and explaining the technologies involved and their relationship to forensic procedures. The goal of mobile forensics is the practice of utilizing sound methodologies for the acquisition of data contained within the internal memory of a mobile device and associated media providing the ability to accurately report one’s findings. This guide also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital evidence. The issue of ever increasing backlogs for most digital forensics labs is addressed and guidance is provided on handling on-site triage casework. Authors Ayers, R. P. (NIST); Brothers, S. (U.S. Customs and Border Protection); Jansen, W. (Booz Allen Hamilton) Topic Communications & Wireless; Forensics; Incident Response; Research; Services & Acquisitions Family Incident Response; Planning; System & Services Acquisition Keywords Computer forensics; digital evidence; mobile device security Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-101-Rev.%201 Final SP 800-101 Guidelines on Cell Phone Forensics Pub Date 5/1/2007 Abstract Forensic specialists periodically encounter unusual devices and new technologies outside of traditional computer forensics. Cell phones are an emerging area with such characteristics. The objective of this guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with cell phones, and to prepare forensic specialists to contend with new circumstances involving cell phones, when they arise. This guide provides an in-depth look into cell phones and explains associated technologies and their effect on the procedures followed by forensic specialists. It also discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital information present on cell phones, as well as available forensic software tools that support those activities. Authors Jansen, W. (NIST); Ayers, R. P. (NIST); Topic Communications & Wireless; Forensics; Incident Response; Research; Services & Acquisitions Family Incident Response; Planning; System & Services Acquisition Keywords Computer Forensics; Cell Phones; Digital Evidence Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-101 Final SP 800-102 Recommendation for Digital Signature Timeliness Pub Date 9/1/2009 Abstract Establishing the time when a digital signature was generated is often a critical consideration. A signed message that includes the (purported) signing time provides no assurance that the private key was used to sign the message at that time unless the accuracy of the time can be trusted. With the appropriate use of digital signature-based timestamps from a Trusted Timestamp Authority (TTA) and/or verifier-supplied data that is included in the signed message, the signatory can provide some level of assurance about the time that the message was signed. Authors Barker, E. B. (NIST); Topic Authentication; Cryptography; Digital Signatures Family System & Communication Protection Cloudburst Security, LLC Page 31 of 77 http://www.cloudburstsecurity.com
  • 32. Status Keywords Series Pub# Title Final SP 800-102 Digital signatures; timeliness; timestamp; Trusted Timestamp Authority Draft SP 800-103 An Ontology of Identity Credentials - Part 1: Background and Formulation Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsSPs.html#SP-800-102 Pub Date 10/6/2006 Abstract This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Authors MacGregor, W. I. (NIST); Dutcher, W. (Booz Allen Hamilton); Khan, J. (Booz Allen Hamilton); Topic Authentication; Biometrics; General IT Security; Personal Identity Verification (PIV); Smart Cards Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection; System & Communication Protection Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-103 Final SP 800-104 A Scheme for PIV Visual Card Topography Pub Date 6/1/2007 Abstract The purpose of this document is to provide additional recommendations on the Personal Identity Verification (PIV) Card color-coding for designating employee affiliation. The recommendations in this document complement FIPS 201 in order to increase the reliability of PIV card visual verification. Authors MacGregor, W. I. (NIST); Schwarzhoff, T. (NIST); Mehta, K. (Mehta, Inc.); Topic Authentication; Personal Identity Verification (PIV); Smart Cards Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection Keywords PIV; FIPS 201; personal identification verification Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Conduct Security Awareness Training Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-104 Final SP 800-106 Randomized Hashing for Digital Signatures Pub Date 2/1/2009 Abstract NIST-approved digital signature algorithms require the use of an approved cryptographic hash function in the generation and verification of signatures. Approved cryptographic hash functions and digital signature algorithms can be found in FIPS 180-3, Secure Hash Standard (SHS), and FIPS 186-3, Digital Signature Standard (DSS), respectively. The security provided by the cryptographic hash function is vital to the security of a digital signature application. This Recommendation specifies a method to enhance the security of the cryptographic hash functions used in digital signature applications by randomizing the messages that are signed. Authors Dang, Q. H. (NIST); Topic Cryptography; Digital Signatures Family Identification & Authentication; System & Communication Protection; System & Information Integrity Keywords Digital signature; cryptographic hash function; hash function; collision resistance; randomized hashing. Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-106 Final SP 800-107 Rev. 1 Recommendation for Applications Using Approved Hash Algorithms Pub Date 8/1/2012 Abstract Hash functions that compute a fixed-length message digest from arbitrary length messages are widely used for many purposes in information security. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved hash functions specified in Federal Information Processing Standard (FIPS) 180-4. These include functions such as digital signatures, Keyed-hash Message Authentication Codes (HMACs) and Hash-based Key Derivation Functions (Hash-based KDFs). Cloudburst Security, LLC Page 32 of 77 http://www.cloudburstsecurity.com
  • 33. Status Authors Final Series Pub# SP 800-107 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Dang, Q. H. (NIST); Topic Cryptography; Digital Signatures Family Identification & Authentication; System & Communication Protection; System & Information Integrity Keywords Digital signatures; hash algorithms; cryptographic hash function; hash function; hash-based key derivation algorithms; hash value; HMAC; message digest; randomized hashing; random number generation; SHA; truncated hash values. Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-107-Rev.%201 Final SP 800-108 Recommendation for Key Derivation Using Pseudorandom Functions (Revised) Pub Date 10/1/2009 Abstract This Recommendation specifies techniques for the derivation of additional keying material from a secret key, either established through a key establishment scheme or shared through some other manner, using pseudorandom functions. Authors Chen, L. (NIST); Topic Cryptography; General IT Security Keywords Key derivation; pseudorandom function. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-108 Final SP 800-111 Guide to Storage Encryption Technologies for End User Devices Pub Date 11/1/2007 Abstract Many threats against end user devices, such as desktop and laptop computers, smart phones, personal digital assistants, and removable media, could cause information stored on the devices to be accessed by unauthorized parties. To prevent such disclosures of information, the information needs to be secured. This publication explains the basics of storage encryption, which is the process of using encryption and authentication to restrict access to and use of stored information. The appropriate storage encryption solution for a particular situation depends primarily upon the type of storage, the amount of information that needs to be protected, the environments where the storage will be located, and the threats that need to be mitigated. This publication describes three types of solutions—full disk encryption, volume and virtual disk encryption, and file/folder encryption—and makes recommendations for implementing and using each type. This publication also includes several use case examples, which illustrate that there are multiple ways to meet most storage encryption needs. Authors Scarfone, K. A. (NIST); Souppaya, M. P. (NIST); Sexton, M. (Booz Allen Hamilton); Topic Cryptography; General IT Security Family Configuration Management; Media Protection; System & Communication Protection; System & Information Integrity Keywords Computer security; mobile device security; removable media security; storage encryption; storage security Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-111 Final SP 800-113 Guide to SSL VPNs Pub Date 7/1/2008 Abstract Secure Sockets Layer (SSL) Virtual Private Networks (VPNs) provide users with secure remote access to an organization's resources. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers. The traffic between the Web browser and SSL VPN device is encrypted with the SSL protocol. SSL VPNs can provide remote users with access to Web applications and client/server applications, as well as connectivity to internal networks. They offer versatility and ease of use because they use the SSL protocol, which is included with all standard Web browsers, so special client configuration or installation is often not required. In planning a VPN deployment, many organizations are faced with a choice between an IPsec-based VPN and an SSL-based VPN. This document seeks to assist organizations in understanding SSL VPN technologies. The publication also makes recommendations for designing, implementing, configuring, securing, monitoring, and maintaining SSL VPN solutions. SP 800-113 provides a phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments. It also includes a comparison with other similar technologies such as Internet Protocol Security (IPsec) VPNs and other VPN solutions. Authors Frankel, S. E. (NIST); Hoffman, P. (Virtual Private Network Consortium); Orebaugh, A. D. (Booz Allen Hamilton); Park, R. (Booz Allen Hamilton); Topic Authentication; Communications & Wireless; Cryptography; Planning Family Access Control; Identification & Authentication; Planning; System & Communication Protection; System & Information Integrity Keywords Secure sockets layer; secure remote access; SSL; TLS; transport layer security; virtual private network; VPN Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Cloudburst Security, LLC Page 33 of 77 http://www.cloudburstsecurity.com
  • 34. Status Series Pub# NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Link Final SP 800-113 http://csrc.nist.gov/publications/PubsSPs.html#SP-800-113 Title Final SP 800-114 User's Guide to Securing External Devices for Telework and Remote Access Pub Date 11/1/2007 Abstract This publication helps teleworkers secure the external devices they use for telework, such as personally owned and privately owned desktop and laptop computers and consumer devices (e.g., cell phones, personal digital assistants [PDA]). The document focuses specifically on security for telework involving remote access to their organization's nonpublic computing resources. It provides practical, real-world recommendations for securing telework computers operating systems (OS) and applications, as well as home networks that the computers use. It presents basic recommendations for securing consumer devices used for telework. The document also presents advice on protecting the information stored on telework computers and removable media. In addition, it provides tips on considering the security of a device owned by a third party before deciding whether it should be used for telework. Authors Scarfone, K. A. (NIST); Souppaya, M. P. (NIST); Topic Authentication; Communications & Wireless; General IT Security Family Access Control; Configuration Management; System & Communication Protection Keywords Remote access secuity; romote access; telework Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-114 Final SP 800-115 Technical Guide to Information Security Testing and Assessment Pub Date 9/1/2008 Abstract The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use. Authors Scarfone, K. A. (NIST); Souppaya, M. P. (NIST); Cody, A. (Booz Allen Hamilton); Orebaugh, A. D. (Booz Allen Hamilton); Topic Audit & Accountability; Certification & Accreditation (C&A); Communications & Wireless; Risk Assessment; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords Penetration testing; risk assessment; security assessment; security examination; security testing; vulnerability scanning Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-115 Final SP 800-116 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) Pub Date 11/1/2008 Abstract This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Specifically, this document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal government facilities and assets. This document also proposes a PIV implementation maturity model to measure the progress of facility and agency implementations. Authors MacGregor, W. I. (NIST); Mehta, K. (Mehta, Inc.); Cooper, D. A. (NIST); Scarfone, K. A. (NIST); Topic Authentication; Biometrics; Cryptography; General IT Security; Personal Identity Verification (PIV); PKI; Planning; Risk Assessment; Smart Cards Family Access Control; Identification & Authentication; Personnel Security; Physical & Environmental Protection; Planning Keywords HSPD-12; PIV; PACS; FIPS 201; PIV authentication mechanisms; Smart Card Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-116 Draft SP 800-117 Rev. 1 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2 Pub Date 1/6/2012 Abstract The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments. Authors Quinn, S. D. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Waltermire, D. A. (NIST); Cloudburst Security, LLC Page 34 of 77 http://www.cloudburstsecurity.com
  • 35. Status Topic Draft Series Pub# SP 800-117 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk Assessment; Security Automation; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Communication Protection Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-117-Rev.%201 Final SP 800-117 Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 Pub Date 7/1/2010 Abstract The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP). This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP's capabilities within their offerings. Authors Quinn, S. D. (NIST); Scarfone, K. A. (NIST); Barrett, M. (G2, Inc.); Johnson, C. S. (NIST); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security Automation; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Maintenance; Risk Assessment; System & Communication Protection; System & Services Acquisition Keywords Security automation; security configuration management; Security Content Automation Protocol (SCAP); vulnerability management Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-117 Draft SP 800-118 Guide to Enterprise Password Management Pub Date 4/21/2009 Abstract SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions. Authors Scarfone, K. A. (Scarfone Cybersecurity); Souppaya, M. P. (NIST); Topic Authentication; Cryptography; General IT Security; Planning; Risk Assessment Family Identification & Authentication; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-118 Final SP 800-119 Guidelines for the Secure Deployment of IPv6 Pub Date 12/1/2010 Abstract Due to the exhaustion of IPv4 address space, and the Office of Management and Budget (OMB) mandate that U.S. federal agencies begin to use the IPv6 protocol, NIST undertook the development of a guide to help educate federal agencies about the possible security risks during their initial IPv6 deployment. Since IPv6 is not backwards compatible with IPv4, organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will enable an organization to navigate the process smoothly and securely. This document provides guidelines for organizations to aid in securely deploying IPv6. The goals of this document are to: educate the reader about IPv6 features and the security impacts of those features; provide a comprehensive survey of mechanisms that can be used for the deployment of IPv6; and provide a suggested deployment strategy for moving to an IPv6 environment. After reviewing this document, the reader should have a reasonable understanding of IPv6 and how it compares to IPv4, security impacts of IPv6 features and capabilities, as-yet unknown impacts of IPv6 deployment, and increased knowledge and awareness about the range of IPv4 to IPv6 transition mechanisms. Authors Frankel, S. E. (NIST); Graveman, R. (RFG Security); Pearce, J. (Booz Allen Hamilton); Rooks, M. (L-1 Identity Solutions); Topic Communications & Wireless; General IT Security; Planning Family Planning; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords IPv6; network security; Internet Protocol Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-119 Final SP 800-120 Recommendation for EAP Methods Used in Wireless Network Access Authentication Pub Date 9/1/2009 Abstract This Recommendation specifies security requirements for authentication methods with key establishment supported by the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal networks. Authors Hoeper, K. (NIST); Chen, L. (NIST); Topic Authentication; Communications & Wireless; Cryptography; General IT Security Cloudburst Security, LLC Page 35 of 77 http://www.cloudburstsecurity.com
  • 36. Status Family Final Series Pub# SP 800-120 Keywords Title Access Control EAP methods; authentication; key establishment. Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsSPs.html#SP-800-120 Final SP 800-121 Rev. 1 Guide to Bluetooth Security Pub Date 6/1/2012 Abstract Bluetooth is an open standard for short-range radio frequency communication. Bluetooth technology is used primarily to establish wireless personal area networks (WPANs), and it has been integrated into many types of business and consumer devices. This publication provides information on the security capabilities of Bluetooth technologies and gives recommendations to organizations employing Bluetooth technologies on securing them effectively. The Bluetooth versions within the scope of this publication are versions 1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 + High Speed (HS), and 4.0, which includes Low Energy (LE) technology. Authors Padgette, J. (Accenture); Scarfone, K. A. (Scarfone Cybersecurity); Chen, L. (NIST); Topic Authentication; Communications & Wireless; Services & Acquisitions Family Access Control; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords Bluetooth; Bluetooth security; wireless networking; wireless network security; wireless personal area networks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-121-Rev.%201 Final SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) Pub Date 4/1/2010 Abstract The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. The document explains the importance of protecting the confidentiality of PII in the context of information security and explains its relationship to privacy using the the Fair Information Practices, which are the principles underlying most privacy laws and privacy best practices. PII should be protected from inappropriate access, use, and disclosure. This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for incidents involving PII. Organizations are encouraged to tailor the recommendations to meet their specific requirements. Authors McCallister, E. (NIST); Grance, T. (NIST); Scarfone, K. A. (NIST); Topic General IT Security; Planning; Risk Assessment Family Access Control; Audit & Accountability; Identification & Authentication; Media Protection; Planning; Risk Assessment; System & Communication Protection Keywords PII; confidentiality; privacy; PII confidentiality impact level; FIPS 199; personally identifiable information Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-122 Final SP 800-123 Guide to General Server Security Pub Date 7/1/2008 Abstract The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The document discusses the need to secure servers and provides recommendations for selecting, implementing, and maintaining the necessary security controls. Authors Scarfone, K. A. (NIST); Jansen, W. (NIST); Tracy, M. (Federal Reserve Information Technology); Topic General IT Security; Maintenance; Planning Family Access Control; Audit & Accountability; Configuration Management; Identification & Authentication; Incident Response; Maintenance; Physical & Environmental Protection; Planning; System & Communication Protection; System & Information Integrity Keywords Host security; server security Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-123 Final SP 800-124 Rev. 1 Guidelines for Managing the Security of Mobile Devices in the Enterprise Pub Date 6/21/2013 Abstract The purpose of this publication is to help organizations centrally manage and secure mobile devices against a variety of threats. This publication provides recommendations for selecting, implementing, and using centralized management technologies, and it explains the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices. Authors Souppaya, M. P. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Authentication; Communications & Wireless; Research; Services & Acquisitions; Viruses & Malware Family Access Control; Configuration Management; Media Protection; Planning; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords cell phone security; information security; mobile device security; mobility; remote access; smartphone security; tablet security; telework Cloudburst Security, LLC Page 36 of 77 http://www.cloudburstsecurity.com
  • 37. Status Legal Final Series Pub# SP 800-124 Rev. 1 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-124-Rev%201 Final SP 800-125 Guide to Security for Full Virtualization Technologies Pub Date 1/1/2011 Abstract The purpose of SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server and desktop virtualization, and to provide recommendations for addressing these concerns. Full virtualization technologies run one or more operating systems and their applications on top of virtual hardware. Full virtualization is used for operational efficiency, such as in cloud computing, and for allowing users to run applications for multiple operating systems on a single computer. Authors Scarfone, K. A. (G2, Inc.); Souppaya, M. P. (NIST); Hoffman, P. (Virtual Private Network Consortium); Topic Cloud Computing & Virtualization; Planning; Risk Assessment Family Access Control; Configuration Management; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity Keywords Virtualization; hypervisor; VMM; virtual machine; VM; cloud computing Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-125 Final SP 800-126 Rev. 2 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 Pub Date 9/1/2011 Abstract This document provides the definitive technical specification for version 1.2 of the Security Content Automation Protocol (SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which information about software flaws and security configurations is communicated, both to machines and humans. This document defines requirements for creating and processing SCAP content. These requirements build on the requirements defined within the individual SCAP component specifications. Each new requirement pertains either to using multiple component specifications together or to further constraining one of the individual component specifications. Authors Waltermire, D. A. (NIST); Quinn, S. D. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Halbardier, A. M. (Booz Allen Hamilton); Topic Audit & Accountability; Certification & Accreditation (C&A); Digital Signatures; General IT Security; Incident Response; Maintenance; Risk Assessment; Security Automation; Services & Acquisitions; Viruses & Malware Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Communication Protection; System & Services Acquisition Keywords Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content automation Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126-Rev.%202 Final SP 800-126 Rev. 1 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1 Pub Date 2/1/2011 Abstract This document provides the definitive technical specification for Version 1.1 of the Security Content Automation Protocol (SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. This document defines all SCAP Version 1.1 requirements that are not defined in the individual SCAP component specifications. Authors Waltermire, D. A. (NIST); Quinn, S. D. (NIST); Scarfone, K. A. (G2, Inc.); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security Automation; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Maintenance; Risk Assessment; System & Communication Protection; System & Services Acquisition Keywords Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content automation Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126-Rev.%201 Final SP Pub Date Cloudburst Security, LLC 800-126 The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0 11/1/2009 Page 37 of 77 http://www.cloudburstsecurity.com
  • 38. Status Abstract Final Series Pub# SP 800-126 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This document defines the technical specification for Version 1.0 of the Security Content Automation Protocol (SCAP). SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. This document describes the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, as well as SCAP requirements not defined in the individual SCAP component specifications. This guide provides recommendations on how to use SCAP to achieve security automation for organizations seeking to implement SCAP. Authors Quinn, S. D. (NIST); Waltermire, D. A. (NIST); Johnson, C. S. (NIST); Scarfone, K. A. (NIST); Banghart, J. F. (NIST); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security Automation; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Maintenance; Risk Assessment; System & Communication Protection; System & Services Acquisition Keywords Security automation; security configuration; Security Content Automation Protocol; vulnerabilities; SCAP; security content automation Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-126 Final SP 800-127 Guide to Securing WiMAX Wireless Communications Pub Date 9/1/2010 Abstract The purpose of this document is to provide information to organizations regarding the security capabilities of wireless communications using WiMAX networks and to provide recommendations on using these capabilities. WiMAX technology is a wireless metropolitan area network (WMAN) technology based upon the IEEE 802.16 standard. It is used for a variety of purposes, including, but not limited to, fixed last-mile broadband access, long-range wireless backhaul, and access layer technology for mobile wireless subscribers operating on telecommunications networks. Authors Scarfone, K. A. (NIST); Tibbs, C. (Booz Allen Hamilton); Sexton, M. (Booz Allen Hamilton); Topic Authentication; Communications & Wireless; Cryptography Family Access Control; Identification & Authentication; System & Communication Protection; System & Services Acquisition Keywords WiMAX; wireless metropolitan area network; wireless network security Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-127 Final SP 800-128 Guide for Security-Focused Configuration Management of Information Systems Pub Date 8/1/2011 Abstract The purpose of Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems, is to provide guidelines for organizations responsible for managing and administering the security of federal information systems and associated environments of operation. Configuration management concepts and principles described in NIST SP 800-128, provide supporting information for NIST SP 80053, Recommended Security Controls for Federal Information Systems and Organizations. NIST SP 800-128 assumes that information security is an integral part of an organization’s overall configuration management. The focus of this document is on implementation of the information system security aspects of configuration management, and as such the term security-focused configuration management (SecCM) is used to emphasize the concentration on information security. In addition to the fundamental concepts associated with SecCM, the process of applying SecCM practices to information systems is described. The goal of SecCM activities is to manage and monitor the configurations of information systems to achieve adequate security and minimize organizational risk while supporting the desired business functionality and services. Authors Johnson, L. A. (NIST); Dempsey, K. L. (NIST); Ross, R. S. (NIST); Gupta, S. (Electrosoft Services, Inc.); Bailey, D. (Electrosoft Services, Inc.); Topic Certification & Accreditation (C&A); General IT Security; Maintenance; Risk Assessment; Security Automation Family Configuration Management Keywords Configuration management; information systems; security program; risk management framework; security-focused continuous monitoring; SecCM; control; monitoring; security content automation protocol (SCAP) Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-128 Final SP 800-130 A Framework for Designing Cryptographic Key Management Systems Pub Date 8/15/2013 Abstract This Framework for Designing Cryptographic Key Management Systems (CKMS) contains topics that should be considered by a CKMS designer when developing a CKMS design specification. For each topic, there are one or more documentation requirements that need to be addressed by the design specification. Thus, any CKMS that addresses each of these requirements would have a design specification that is compliant with this Framework. Authors Barker, E. B. (NIST); Smid, M. E. (Orion Security Solutions); Branstad, D. K. (); Chokhani, S. (Cygnacom); Topic Cryptography Cloudburst Security, LLC Page 38 of 77 http://www.cloudburstsecurity.com
  • 39. Status Keywords Series Pub# Title Final SP 800-130 access control; confidentiality; cryptographic key management system; cryptographic keys; framework; integrity; key management policies; key metadata; source authentication Final SP 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsSPs.html#SP-800-130 Pub Date 1/1/2011 Abstract At the start of the 21st century, the National Institute of Standards and Technology (NIST) began the task of providing cryptographic key management guidance, which includes defining and implementing appropriate key management procedures, using algorithms that adequately protect sensitive information, and planning ahead for possible changes in the use of cryptography because of algorithm breaks or the availability of more powerful computing techniques. NIST Special Publication (SP) 800-57, Part 1 was the first document produced in this effort, and includes a general approach for transitioning from one algorithm or key length to another. This Recommendation (SP 800-131A) provides more specific guidance for transitions to the use of stronger cryptographic keys and more robust algorithms. Authors Barker, E. B. (NIST); Roginsky, A. L. (NIST); Topic Cryptography Keywords Cryptographic algorithm; digital signatures; encryption; hash function; key agreement; key derivation; key management; key transport; key wrapping; message authentication codes; random number generation; security strength; transition. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-131-A Final SP 800-132 Recommendation for Password-Based Key Derivation: Part 1: Storage Applications Pub Date 12/1/2010 Abstract This Recommendation specifies techniques for the derivation of master keys from passwords or passphrases to protect stored electronic data or data protection keys. Authors Turan, M. S. (NIST); Barker, E. B. (NIST); Burr, W. E. (NIST); Chen, L. (NIST); Topic Authentication; Cryptography; General IT Security Family Access Control Keywords Password-Based Key Derivation Functions; Salt; Iteration Count; Protection of data in storage. Link http://csrc.nist.gov/publications/PubsSPs.html#SP-800-132 Title Final SP 800-133 Recommendation for Cryptographic Key Generation Pub Date 11/1/2012 Abstract Cryptography is often used in an information technology security environment to protect data that is sensitive, has a high value, or is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a cryptographic key. This Recommendation discusses the generation of the keys to be managed and used by the approved cryptographic algorithms. Authors Barker, E. B. (NIST); Roginsky, A. L. (NIST); Topic Cryptography Keywords asymmetric key; key agreement; key derivation; key generation; key replacement; key transport; key update; key wrapping; private key; public key; symmetric key Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-133 Final SP 800-135 Rev. 1 Recommendation for Existing Application-Specific Key Derivation Functions Pub Date 12/1/2011 Abstract Cryptographic keys are vital to the security of internet security applications and protocols. Many widely-used internet security protocols have their own application-specific Key Derivation Functions (KDFs) that are used to generate the cryptographic keys required for their cryptographic functions. This Recommendation provides security requirements for those KDFs. Authors Dang, Q. H. (NIST); Topic Cryptography Keywords Cryptographic key; shared secret; Diffie-Hellman (DH) key exchange; hash function; Key Derivation Function (KDF); Hash-based Key Derivation Function; Randomness Extraction; Key expansion; Pseudorandom Function (PRF); HMAC; ANS X9.42-2001; ANS X9.63-2001; IKE; SSH; TLS; SRTP; SNMP and TPM. Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-135-Rev.%201 Final SP 800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations Pub Date 9/1/2011 Abstract The purpose of this guideline is to assist organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls. It provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate. Authors Dempsey, K. L. (NIST); Chawla, N. S. (PricewaterhouseCoopers LLP); Johnson, L. A. (NIST); Johnston, R. (Department of Defense); Jones, A. C. (Booz Allen Hamilton); Orebaugh, A. D. (Booz Allen Hamilton); Scholl, M. A. (NIST); Stine, K. M. (NIST); Topic Certification & Accreditation (C&A); General IT Security; Planning; Risk Assessment Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Planning; Program Management; Risk Assessment Keywords Continuous monitoring; ISCM; information security; security; risk management Cloudburst Security, LLC Page 39 of 77 http://www.cloudburstsecurity.com
  • 40. Status Legal Final Series Pub# SP 800-137 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-137 Draft FIPS 140-3 Security Requirements for Cryptographic Modules (Revised Draft) Pub Date 12/11/2009 Abstract The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security in its computer and telecommunication systems. This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106 and the Federal Information Security Management Act of 2002, Public Law 107-347. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design, implementation, operation and disposal of a cryptographic module. These areas include cryptographic module specification; cryptographic module physical ports and logical interfaces; roles, authentication, and services; software security; operational environment; physical security; physical security – non-invasive attacks; sensitive security parameter management; self-tests; life-cycle assurance; and mitigation of other attacks. Topic Audit & Accountability; Authentication; Communications & Wireless; Cryptography; Digital Signatures; PKI; Planning; Services & Acquisitions Family Identification & Authentication; System & Communication Protection; System & Information Integrity Keywords computer security; telecommunication security; physical security; software security; cryptography; cryptographic modules; Federal Information Processing Standard (FIPS). Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-140--3 Final FIPS 140-2 Security Requirements for Cryptographic Modules Pub Date 12/3/2002 Abstract This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. Topic Audit & Accountability; Communications & Wireless; Cryptography; Digital Signatures; PKI; Planning; Services & Acquisitions Family Identification & Authentication; System & Communication Protection; System & Information Integrity Keywords computer security; cryptographic module; FIPS 140-2; validation Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-140--2 Final SP 800-142 Practical Combinatorial Testing Pub Date 10/1/2010 Abstract Combinatorial testing can help detect problems like this early in the testing life cycle. The key insight underlying t-way combinatorial testing is that not every parameter contributes to every fault and most faults are caused by interactions between a relatively small number of parameters. This publication provides a self-contained tutorial on using combinatorial testing for real-world software, including how to use it effectively for system and software assurance. It introduces the key concepts and methods, explains use of software tools for generating combinatorial tests (freely available on the NIST web site csrc.nist.gov/acts), and discusses advanced topics such as the use of formal models of software to determine the expected results for each set of test inputs. With each topic, a section on costs and practical considerations explains tradeoffs and limitations that may impact resources or funding. The material is accessible to an undergraduate student of computer science or engineering, and includes an extensive set of references to papers that provide more depth on each topic. Authors Kuhn, D. R. (NIST); Kacker, R. N. (NIST); Lei, Y. (NIST); Topic Research Keywords Combinatorial methods; computer security; software assurance; software testing Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-142 Final SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing Pub Date 12/1/2011 Abstract Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment. Cloudburst Security, LLC Page 40 of 77 http://www.cloudburstsecurity.com
  • 41. Status Authors Final Series Pub# SP 800-144 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Jansen, W. (Booz Allen Hamilton); Grance, T. (NIST); Topic Cloud Computing & Virtualization; Planning; Research; Services & Acquisitions Family Planning Keywords Cloud Computing; Computer Security and Privacy; Information Technology Outsourcing Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-144 Final SP 800-145 The NIST Definition of Cloud Computing Pub Date 9/1/2011 Abstract Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. Authors Mell, P. M. (NIST); Grance, T. (NIST); Topic Cloud Computing & Virtualization; Planning; Research Keywords Cloud Computing; SaaS; PaaS; IaaS; On-demand Self Service; Reserve Pooling; Rapid Elasticity; Measured Service; Software as a Service; Platform as a Service; Infrastructure as a Service Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-145 Final SP 800-146 Cloud Computing Synopsis and Recommendations Pub Date 5/29/2012 Abstract This document reprises the NIST-established definition of cloud computing, describes cloud computing benefits and open issues, presents an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing. Authors Badger, M. L. (NIST); Grance, T. (NIST); Patt-Corner, R. (Global Tech, Inc.); Voas, J. (NIST); Topic Cloud Computing & Virtualization; Planning; Research Keywords cloud computing, computer security, virtualization Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-146 Final SP 800-147 BIOS Protection Guidelines Pub Date 4/1/2011 Abstract This document provides guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS) firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). As used in this publication, the term BIOS refers to conventional BIOS, Extensible Firmware Interface (EFI) BIOS, and Unified Extensible Firmware Interface (UEFI) BIOS. This document applies to system BIOS firmware (e.g., conventional BIOS or UEFI BIOS) stored in the system flash memory of computer systems, including portions that may be formatted as Option ROMs. However, it does not apply to Option ROMs, UEFI drivers, and firmware stored elsewhere in a computer system. While this document focuses on current and future x86 and x64 client platforms, the controls and procedures are independent of any particular system design. Likewise, although the guide is oriented toward enterprise-class platforms, the necessary technologies are expected to migrate to consumer-grade systems over time. Future efforts may look at boot firmware security for enterprise server platforms. Authors Cooper, D. A. (NIST); Polk, W. T. (NIST); Regenscheid, A. R. (NIST); Souppaya, M. P. (NIST); Topic Authentication; Awareness & Training; Certification & Accreditation (C&A); Contingency Planning; Cryptography; Digital Signatures; General IT Security; Incident Response; Maintenance; PKI Cloudburst Security, LLC Page 41 of 77 http://www.cloudburstsecurity.com
  • 42. Status Family Final Series Pub# SP 800-147 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Access Control; System & Information Integrity; System & Services Acquisition Keywords BIOS; firmware; security; firmware updates; basic input/output system; BIOS firmware; system BIOS Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-147 Draft SP 800-147B BIOS Protection Guidelines for Servers Pub Date 7/30/2012 Abstract This guide is intended to mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic Input/Output System (BIOS), in server-class systems. This guide identifies security requirements and guidelines for a secure BIOS update process, using digital signatures to authenticate updates. The intended audience for this document includes BIOS and platform vendors of server-class systems, and information system security professionals who are responsible for procuring, deploying, and managing servers. This document is the second in a series of publications on BIOS protections. The first document, SP800-147, BIOS Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in enterprise environments. In the future, NIST intends to develop a new publication providing an overview of BIOS protections for IT security professionals to be released as SP800-147rev1, and will reissue the current SP800-147 as SP800-147A at that time. Authors Regenscheid, A. R. (NIST); Topic Authentication; Awareness & Training; Certification & Accreditation (C&A); Contingency Planning; Cryptography; Digital Signatures; General IT Security; Incident Response; Maintenance; PKI Family Access Control; System & Information Integrity; System & Services Acquisition Keywords Basic Input/Output System (BIOS); information security; patch mana gement; server security Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-147-B Draft SP 800-152 A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS) Pub Date 8/8/2012 Abstract This Profile will be based on the Special Publication 800-130, entitled “A Framework for Designing Cryptographic Key Management Systems.” The Framework covers topics that should be considered by a product or system designer when designing a CKMS and specifies requirements for the design and its documentation. The Profile, however, will cover not only a CKMS design, but also its procurement, installation, management, and operation throughout its lifetime. Authors Barker, E. B. (NIST); Topic Cryptography Legal E-Government Act of 2002/Mandates NIST Development of Security Standards Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-152 Final SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs) Pub Date 2/1/2012 Abstract A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, access points (AP), and wireless switches—is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring. The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and strengthening their key recommendations. Authors Souppaya, M. P. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Communications & Wireless; General IT Security; Planning; Risk Assessment Family Access Control; Configuration Management; Planning; Risk Assessment; System & Communication Protection Keywords Wireless Local Area Network; WLAN; IEEE 802.11; 802.11; access points; AP; wireless networking; wireless networking security Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-153 Draft SP Pub Date Cloudburst Security, LLC 800-155 BIOS Integrity Measurement Guidelines 12/8/2011 Page 42 of 77 http://www.cloudburstsecurity.com
  • 43. Status Abstract Draft Series Pub# SP 800-155 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment. Authors Regenscheid, A. R. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic General IT Security Family Configuration Management Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-155 Draft SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations Pub Date 8/16/2013 Abstract This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance. Authors Boyens, J. (NIST); Paulsen, C. (NIST); Moorthy, R. (Hatha Systems); Bartol, N. (Utilities Telecom Council); Shankles, S. A. (Booz Allen Hamilton); Topic Cyber-Physical Systems & Smart Grid; General IT Security; Incident Response; Maintenance; Planning; Risk Assessment; Services & Acquisitions Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Program Management; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords acquirer; criticality analysis; external service provider; information and communication technology (ICT); integrator; risk management; supplier; supply chain Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Certify & Accredit Systems; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Conduct Security Awareness Training; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Develop Contingency Plans & Procedures; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Mandates Agency-Wide Information Security Program Development & Implementation Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-161 Draft SP 800-162 Guide to Attribute Based Access Control (ABAC) Definition and Considerations Pub Date 4/22/2013 Abstract This document provides Federal agencies with a definition of attribute based access control (ABAC). ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document also provides considerations for using ABAC to improve information sharing within organizations and between organizations while maintaining control of that information. Authors Hu, V. C. (NIST); Ferraiolo, D. (NIST); Kuhn, D. R. (NIST); Friedman, A. R. (National Security Agency); Lang, A. J. (National Security Agency); Cogdell, M. M. (National Security Agency); Schnitzer, A. (Booz Allen Hamilton); Sandlin, K. (The MITRE Corporation); Miller, R. (The MITRE Corporation); Scarfone, K. A. (Scarfone Cybersecurity); Topic Research Keywords access control; attribute based access control (ABAC); authorization; privilege; access control model; access control policy; access control mechanism Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-162 Draft SP Pub Date Cloudburst Security, LLC 800-164 Guidelines on Hardware-Rooted Security in Mobile Devices 10/31/2012 Page 43 of 77 http://www.cloudburstsecurity.com
  • 44. Status Abstract Draft Series Pub# SP 800-164 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust. The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment. Authors Chen, L. (NIST); Franklin, J. (NIST); Regenscheid, A. R. (NIST); Topic Communications & Wireless; General IT Security Family System & Information Integrity Keywords information security; mobile device security; root of trust; smartphone; tablet Link Title http://csrc.nist.gov/publications/PubsSPs.html#SP-800-164 Final SP 800-165 Computer Security Division 2012 Annual Report Pub Date 7/22/2013 Abstract Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a component of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects information systems against threats to the confidentiality, integrity, and availability of information and services. During Fiscal Year 2012 (FY 2012), CSD successfully responded to numerous challenges and opportunities in fulfilling that mission. Through CSD's diverse research agenda and engagement in many national priority initiatives, high-quality, cost-effective security and privacy mechanisms were developed and applied that improved information security across the federal government and the greater information security community. This annual report highlights the research agenda and activities in which CSD was engaged during FY 2012. Authors O'Reilly, P. D. (NIST); Richards, L. (NIST) Topic Annual Reports Keywords Federal Information Security Management Act; FISMA; Computer Security Division; CSD; information security Link Title http://csrc.nist.gov/publications/PubsSPs.html#800-165 Final FIPS 180-4 Secure Hash Standard (SHS) Pub Date 3/6/2012 Abstract This standard specifies hash algorithms that can be used to generate digests of messages. The digests are used to detect whether messages have been changed since the digests were generated. Topic Authentication; Cryptography; Digital Signatures Family System & Communication Protection; System & Information Integrity Keywords computer security; cryptography; message digest; hash function; hash algorithm; Federal Information Processing Standards; Secure Hash Standard Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-180--4 Final FIPS 181 Automated Password Generator Pub Date 10/5/1993 Abstract The Automated Password Generator Standard specifies an algorithm to generate passwords for the protection of computer resources. This standard is for use in conjunction with FIPS PUB 112, Password Usage Standard, which provides basic security criteria for the design, implementation, and use of passwords. The algorithm uses random numbers to select the characters that form the random pronounceable passwords. The random numbers are generated by a random number subroutine based on the Electronic Codebook mode of the Data Encryption Standard (DES) (FIPS PUB 46-1). The random number subroutine uses a pseudorandom DES key generated in accordance with the procedure described in Appendix C of ANSI X9.17. Topic Authentication; Cryptography Family System & Communication Protection; System & Information Integrity Keywords automated password generator; computer security; Federal Information Processing Standard; FIPS; password; random numbers Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-181 Final FIPS 185 Escrowed Encryption Standard Pub Date 2/9/1994 Abstract This standard specifies an encryption/decryption algorithm and a Law Enforcement Access Field (LEAF) creation method which may be implemented in electronic devices and used for protecting government telecommunications when such protection is desired. The algorithm and the LEAF creation method are classified and are referenced, but not specified, in the standard. Electronic devices implementing this standard may be designed into cryptographic modules which are integrated into data security products and systems for use in data security applications. The LEAF is used in a key escrow system that provides for decryption of telecommunications when access to the telecommunications is lawfully authorized. Topic Cryptography Keywords Cryptography; Federal Information Processing Standard; encryption; key escrow system; security Cloudburst Security, LLC Page 44 of 77 http://www.cloudburstsecurity.com
  • 45. Status Series Pub# Link Final FIPS 185 Title Final FIPS 186-4 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-185 Digital Signature Standard (DSS) Pub Date 7/19/2013 Abstract The Standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory. This is known as non-repudiation, since the signatory cannot easily repudiate the signature at a later time. This Standard specifies three techniques for the generation and verification of digital signatures: DSA, ECDSA and RSA. This revision increases the length of the keys allowed for DSA, provides additional requirements for the use of ECDSA and RSA, and includes requirements for obtaining assurances necessary for valid digital signatures. Topic Authentication; Cryptography; Digital Signatures Family System & Communication Protection Keywords computer security; cryptography; Digital Signature Algorithm; digital signatures; Elliptic Curve Digital Signature Algorithm; Federal Information Processing Standard; public Link Title http://csrc.nist.gov/publications/PubsFIPS.html#186-4 Final FIPS 188 Standard Security Label for Information Transfer Pub Date 9/6/1994 Abstract Information Transfer security labels convey information used by protocol entities to determine how to handle data communicated between open systems. Information on a security label can be used to control access, specify protective measures, and determine handling restrictions required by a communications security policy. This standard defines a security label syntax for information exchanged over data networks and provides encodings of that syntax for use at the Application and Network Layers. The syntactic constructs defined in this standard are intended to be used along with semantics provided by the authority establishing the security policy for the protection of the information exchanged. A separate NIST document, referenced in an informative appendix, defines a Computer Security Objects Register (CSOR) that serves as repository for label semantics. Topic Maintenance; Planning Family Access Control Keywords Application Layer security; computer communications security; Computer Security Objects Register; Federal Information Processing Standard; Information Transfer security labels; Network Layer security; security labels; security protocols Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-188 Final FIPS 190 Guideline for the Use of Advanced Authentication Technology Alternatives Pub Date 9/28/1994 Abstract This Guideline describes the primary alternative methods for verifying the identities of computer system users, and provides recommendations to Federal agencies and departments for the acquisition and use of technology which supports these methods. Although the traditional approach to authentication relies primarily on passwords, it is clear that password-only authentication often fails to provide an adequate level of protection. Stronger authentication techniques become increasingly more important as information processing evolves toward an open systems environment. Modern technology has produced authentication tokens and biometric devices which are reliable, practical, and cost-effective. Passwords, tokens, and biometrics can be used in various combinations to provide far greater assurance in the authentication process than can be attained with passwords alone. Topic Authentication; Cryptography Family Identification & Authentication; System & Communication Protection Keywords computer security; cryptographic modules; cryptography; Federal Information Processing Standards Publication; telecommunication security Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-190 Final FIPS 191 Guideline for The Analysis of Local Area Network Security Pub Date 11/9/1994 Abstract This guideline discusses threats and vulnerabilities and considers technical security services and security mechanisms. Topic Audit & Accountability; Certification & Accreditation (C&A); Maintenance; Planning; Risk Assessment Keywords Federal Information Processing Standards Publication (FIPS PUB); local area network (LAN); LAN security; risk; security; security mechanism; security service; threat; vulnerability Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-191 Final FIPS 196 Entity Authentication Using Public Key Cryptography Pub Date 2/18/1997 Abstract This standard specifies two challenge-response protocols by which entities in a computer system may authenticate their identities to one another. These may be used during session initiation, and at any other time that entity authentication is necessary. Depending on which protocol is implemented, either one or both entities involved may be authenticated. The defined protocols are derived from an international standard for entity authentication based on public key cryptography, which uses digital signatures and random number challenges. Authentication based on public key cryptography has an advantage over many other authentication schemes because no secret information has to be shared by the entities involved in the exchange. A user (claimant) attempting to authenticate oneself must use a private key to digitally sign a random number challenge issued by the verifying entity. This random number is a time variant parameter which is unique to the authentication exchange. If the verifier can successfully verify the signed response using the claimant's public key, then the claimant has been successfully authenticated. Cloudburst Security, LLC Page 45 of 77 http://www.cloudburstsecurity.com
  • 46. Status Topic Final Series Pub# FIPS 196 Keywords Title Authentication; Cryptography; PKI access control; authentication; challenge-response; computer security; cryptographic modules; cryptography; Federal Information Processing Standard (FIPS); telecommunications security Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-196 Final FIPS 197 Advanced Encryption Standard Pub Date 11/26/2001 Abstract The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. Topic Cryptography Family System & Communication Protection Keywords algorithm; block cipher; ciphertext; cryptographic algorithm; cryptographic keys; decryption; encryption Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-197 Final FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) Pub Date 7/16/2008 Abstract This Standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative Approved cryptographic hash function, in combination with a shared secret key. Topic Cryptography Family Audit & Accountability; System & Communication Protection; System & Information Integrity Keywords computer security; cryptography; HMAC; MAC; message authentication; Federal Information Processing Standards (FIPS) Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-198--1 Title Final FIPS 199 Standards for Security Categorization of Federal Information and Information Systems Pub Date 2/1/2004 Abstract The purpose of this document is to provide a standard for categorizing federal information and information systems according to an agency's level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction. Topic Audit & Accountability; Certification & Accreditation (C&A); Planning; Risk Assessment Family Audit & Accountability; Certification, Accreditation & Security Assessments; Planning; Program Management; Risk Assessment Keywords classification; Federal information; Federal information systems; FIPS; security Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-199 Final FIPS 200 Minimum Security Requirements for Federal Information and Information Systems Pub Date 3/1/2006 Abstract FIPS 200 is the second standard that was specified by the Information Technology Management Reform Act of 1996 (FISMA). It is an integral part of the risk management framework that the National Institute of Standards and Technology (NIST) has developed to assist federal agencies in providing levels of information security based on levels of risk. FIPS 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements. Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Planning Family Access Control; Audit & Accountability; Awareness & Training; Certification, Accreditation & Security Assessments; Configuration Management; Contingency Planning; Identification & Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; Risk Assessment; System & Communication Protection; System & Information Integrity; System & Services Acquisition; Keywords risk-assessment; security controls; security requirements Cloudburst Security, LLC Page 46 of 77 http://www.cloudburstsecurity.com
  • 47. Status Legal Final Series Pub# FIPS 200 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Certify & Accredit Systems Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-200 Final FIPS 201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors Pub Date 8/31/2013 Abstract This Standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and logical access to government information systems. The Standard contains the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of Homeland Security Presidential Directive-12 [HSPD-12], including identity proofing, registration, and issuance. The Standard also provides detailed specifications that will support technical interoperability among PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve identity credentials from the card. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this Standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in Special Publication 800-73, Interfaces for Personal Identity Verification. The interfaces and data formats of biometric information are specified in Special Publication 800-76, Biometric Specifications for Personal Identity Verification. The requirements for cryptographic algorithms are specified in Special Publication 800-78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The requirements for the accreditation of the PIV Card issuers are specified in Special Publication 800-79, Guidelines for the Accreditation of Personal Identity Verification Card Issuers. The unique organizational codes for Federal agencies are assigned in Special Publication 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations. The requirements for card readers are specified in Special Publication 800-96, PIV Card to Reader Interoperability Guidelines. The format for encoding the chain-of-trust for import and export is specified in Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export. The requirements for issuing PIV derived credentials are specified in Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. This Standard does not specify access control policies or requirements for Federal departments and agencies. Topic Biometrics; Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication; Planning; System & Communication Protection Keywords architecture; authentication; authorization; biometrics; credential; cryptography; Federal Information Processing Standards (FIPS); HSPD-12; identification; identity; infrastructure; model; Personal Identity Verification; PIV; public key infrastructure; PKI; validation; verification. Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-201--2 Final FIPS 201-1 Personal Identity Verification (PIV) of Federal Employees and Contractors Pub Date 6/23/2006 Abstract This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems. The standard contains two major sections. Part one describes the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of Homeland Security Presidential Directive 12, including personal identity proofing, registration, and issuance. Part two provides detailed specifications that will support technical interoperability among PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve identity credentials from the card. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard. The interfaces and card architecture for storing and retrieving identity credentials from a smart card are specified in Special Publication 800-73, Interfaces for Personal Identity Verification. Similarly, the interfaces and data formats of biometric information are specified in Special Publication 800-76, Biometric Data Specification for Personal Identity Verification. This standard does not specify access control policies or requirements for Federal departments and agencies. Topic Biometrics; Personal Identity Verification (PIV); Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication; Planning; System & Communication Protection Keywords Architecture; authentication; authorization; biometrics; credential; cryptography; Federal Information Processing Standards (FIPS); HSPD 12; identification; identity; infrastructure; model; Personal Identity Verification; PIV; validation; verification. Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link http://csrc.nist.gov/publications/PubsFIPS.html#FIPS-201--1 Cloudburst Security, LLC Page 47 of 77 http://www.cloudburstsecurity.com
  • 48. Status Title Series Pub# Final NISTIR 4734 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Foundations of a Security Policy for Use of the National Research and Educational Network Pub Date 2/1/1992 Abstract The National Research and Education Network (NREN) is an integral part of the planned HighPerformance Computing and Communication (HPCC) infrastructure that will extend throughout the scientific, technical and education communities. The projected vision is one of desks and laboratory benches as entry points to a nation-wide electronic network of information technologies with shared access to services and resources such as high-performance computing systems, specialized software tools, databases, scientific instruments, digital libraries, and other research facilities. The purpose of this report is to explore the foundations of a security policy and propose a security policy for the NREN, one that is applicable to and identifies responsibilities of all major network constituents: end users, system administrators, management at all levels, vendors, system developers, service providers, and the Federal Networking Council. Authors Oldehoeft, A. E. (Iowa State University); Keywords computer security policy; High-Performance Computing and Communication; HPCC; National Research and Educational Network; NREN Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4734 Final NISTIR 4749 Sample Statements of Work for Federal Computer Security Services: For use In-House or Contracting Out Pub Date 6/26/1992 Abstract Each federal organization is fully responsible for its computer security program whether the security program is performed by inhouse staff or contracted out. Time constraints, budget constraints, availability or expertise of staff, and the potential knowledge to be gained by the organization from an experienced contractor are among the reasons a federal organization may wish to get external assistance for some of these complex, labor intensive activities. An interagency working group of federal and private sector security specialists developed this document. The document presents the ideas and experiences of those involved with computer security. It supports the operational field with a set of Statements of Works (SOWs) describing significant computer security activities. While not a substitute for good computer security management, organization staff and government contractors can use these SOWs as a basis for a common understanding of each described activity. The sample SOWs can foster easier access to more consistent, high-quality computer security services. The descriptions apply to contracting for services or obtaining them from within the organization. Gilbert, D. M. (); Lynch, N. (); Authors Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4749 Final NISTIR 4939 Threat Assessment of Malicious Code and External Attacks Pub Date 10/1/1992 Abstract As a participant in the U. S. Army Computer Vulnerability/Survivability Study Team, the National Institute of Standards and Technology has been tasked with providing an assessment of the threats associated with commercial hardware and software. This document is the second and final deliverable under the Military Interdepartmental Purchase Request number: W43P6Q-92-EW138. This report provides an assessment of the threats associated with malicious code and external attacks on systems using commercially available hardware and software. The history of the threat is provided and current protection methods described. A projection of the future threats for both malicious code and human threats is also given. Authors Bassham III, L. E. (NIST); Polk, W. T. (NIST); Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4939 Final NISTIR Pub Date Cloudburst Security, LLC 4976 Assessing Federal and Commercial Information Security Needs 11/1/1992 Page 48 of 77 http://www.cloudburstsecurity.com
  • 49. Status Abstract Series Pub# Final NISTIR 4976 Title In a cooperative effort with government and industry, the National Institute of Standards and Technology (NIST) conducted a study to assess the current and future information technology (IT) security needs of the commercial, civil, and military sectors. The primary objectives of the study were to: a) determine a basic set of information protection policies and control objectives that pertain to the secure processing needs of organizations within all sectors; and b) identify protection requirements and technical approaches that are used, desired or sought so they can be considered for future federal standards and guidelines. The findings of this study address the basic security needs of IT product users, including system developers, end users, administrators, and evaluators. Security needs have been identified based on actual existing and well-understood security organizational practices. Ferraiolo, D. (NIST); Gilbert, D. M. (); Lynch, N. (); Authors Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-4976 Final NISTIR 5153 Minimum Security Requirements for Multi-User Operating Systems Pub Date 3/1/1993 Abstract [NOTE: THIS DOCUMENT HAS BEEN SUPERSEDED BY THE FEDERAL CRITERIA.] The Minimum Security Requirements for Multi-User Operating Systems (MSR) document provides basic commercial computer system security requirements applicable to both government and commercial organizations. These requirements include technical measures that can be incorporated into multiuser, remote-access, resource-sharing, and information-sharing computer systems. The MSR document was written from the prospective of protecting the confidentiality and integrity of an organization's resources and promoting the continual availability of these resources. The MSR presented in this document form the basis for the commercially oriented protection profiles in Volume II of the draft Federal Criteria for Information Technology Security document (known as the Federal Criteria). The Federal Criteria is currently a draft and supersedes this document. The MSR document has been developed by the MSR Working Group of the Federal Criteria Project under National Institute of Standards and Technology (NIST) leadership with a high level of private sector participation. Its contents are based on the Trusted Computer System Evaluation Criteria (TCSEC) C2 criteria class, with additions from current computer industry practice and commercial security requirements specifications. Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5153 Final NISTIR 5232 Report of the NSF/NIST Workshop on NSFNET/NREN Security, July 6-7, 1992 Pub Date 5/1/1993 Abstract The Workshop on NSFNET/NREN Security was hosted by NIST and sponsored by NSF to address the need for improving the security of national computer networks. Emphasis was on identifying off-the-shelf security technology that could be implemented in the NSF Network, especially to control access to the super computer on the network. The report sections reflect the workshop sessions that related security aspects of distributed networks: authentication, access control, applications security and security management. A final section details workshop recommendations. Authors Oldehoeft, A. E. (Iowa State University); Branstad, D. K. (NIST); Keywords Title computer security policy; High-Performance Computing and Communication; HPCC; National Research and Educational Network; NREN Final NISTIR 5234 Report of the NIST Workshop on Digital Signature Certificate Management, December 10-11, 1992 Pub Date 10/1/1993 Abstract The purpose of the workshop, held at the National Institute of Standards and Technology (NIST) on December 10-11, 1992, was to review the existing and required technologies for digital signature certification authorities, and to develop recommendations for certificate contents, formats, generation, distribution and storage. The results of the workshop will be provided to MITRE Corporation as input to the federally sponsored study of signature certification authorities. Invited participants represented various constituencies including the Federal Government, commercial organizations, standards organizations, and internationsl interests. This report includes a summary of the presentations and copies of slides for nine of the presentations. Authors Branstad, D. K. (NIST); Keywords Title certificate management; certificate revocation lists; public key certificate; X.509 certificates Final NISTIR Pub Date Cloudburst Security, LLC 5308 General Procedures for Registering Computer Security Objects 12/1/1993 Page 49 of 77 http://www.cloudburstsecurity.com
  • 50. Status Abstract Series Pub# Final NISTIR 5308 Title The primary purpose of this register is to specify names that uniquely identify Computer Security Objects (CSOs). Unique names can be used to reference objects during the negotiation of security services for a transaction or application. The register is also a repository of parameters associated with the registered object. Nazario, N. A. (NIST); Authors Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5308 Final NISTIR 5468 Report of the NIST Workshop on Key Escrow Encryption Pub Date 6/1/1994 Abstract On June 10, 1994, the National Institute of Standards and Technology (NIST) hosted a one-day workshop to present and discuss key escrow encryption technology, including the recently-approved Escrowed Encryption Standard (EES), Federal Information Processing Standard (FIPS) Publication 185. Speakers from government and industry presented the objectives of key escrow encryption, its current method, several alternative methods for key escrow encryption, system integrity requirements, international aspects of key escrowing, and future directions. Authors Oldehoeft, A. E. (Iowa State University); Branstad, D. K. (NIST); Keywords Title cryptography; Escrowed Encryption Standard (EES); key escrow; SKIPJACK algorithm; telecommunications Final NISTIR 5472 A Head Start on Assurance: Proceedings of an Invitational Workshop on Information Technology (IT) Assurance and Trustworthiness, March 2123, 1994 Pub Date 3/1/1994 Abstract The purpose of the Invitational Workshop on Information Technology (IT) Assurance and Trustworthiness was to identify crucial issues on assurance in IT systems and to provide input into the development of policy guidance on determining the type and level of assurance appropriate in a given environment. The readers of these proceedings include those who handle sensitive information involving national security, privacy, commercial value, integrity, and availability. Existing IT security policy guidance is based on computer and communications architectures of the early 1980s. Technological changes since that time mandate a review and revision of policy guidance on assurance and trustworthiness, especially since the changes encompass such technologies as distributed systems, local area networks, the worldwide Internet, policy-enforcing applications, and public key cryptography. Authors Abrams, M. D. (The MITRE Corporation); Toth, P. (NIST); Topic Conferences & Workshops Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5472 Final NISTIR 5495 Computer Security Training & Awareness Course Compendium Pub Date 9/1/1994 Abstract [Compendium of computer security courses offered circa 1994] Authors Everhart, K. (NIST); Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-5495 Final NISTIR 6390 Randomness Testing of the Advanced Encryption Standard Candidate Algorithms Pub Date 9/1/1999 Abstract One of the criteria used to evaluate the Advanced Encryption Standard candidate algorithms was their demonstrated suitability as random number generators. That is, the evaluation of their output utilizing statistical tests should not provide any means by which to computationally distinguish them from a truly random source. This internal report lists several characteristics which an encryption algorithm exhibiting random behavior should possess, describes how the output for each candidate algorithm was evaluated for randomness, discusses what has been learned utilizing the NIST statistical tests, and finally provides an interpretation of the results. Authors Soto, J. (NIST); Topic Cryptography Keywords Advanced Encryption Standard (AES); random number generators; randomness; statistical tests Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6390 Title Final NISTIR Pub Date Cloudburst Security, LLC 6416 Applying Mobile Agents to Intrusion Detection and Response 10/1/1999 Page 50 of 77 http://www.cloudburstsecurity.com
  • 51. Status Abstract Series Pub# Final NISTIR 6416 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Effective intrusion detection capability is an elusive goal, not solved easily or with a single mechanism. However, mobile agents go a long way toward realizing the ideal behavior desired in an Intrusion Detection System (IDS). This report is an initial foray into the relatively unexplored terrain of using Mobile Agents for Intrusion Detection Systems (MAIDS). It suggests a number of innovative ways to apply agent mobility to address shortcomings of current IDS designs and implementations, and explores several new paradigms involving mobile agents. The report looks not only at the benefits derived from mobility, but also those inherent to agent technology, such as autonomous components. We explore these benefits in some detail and propose specific research topics in both the intrusion detection and intrusion response areas. We also discuss performance advantages and disadvantages that occur when using mobile agents in intrusion detection and response. The report concludes with a rating of the proposed research topics, falling under three main areas: performance enhancements, design improvements, and response improvements. Authors Jansen, W. (NIST); Mell, P. M. (NIST); Karygiannis, A. T. (NIST); Marks, D. G. (NIST); Topic Incident Response Keywords intrusion detection; intrusion response; mobile agents Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6416 Final NISTIR 6462 CSPP - Guidance for COTS Security Protection Profiles (Formerly: CS2 - Protection Profile Guidance for Near-Term COTS) Version 1.0 Pub Date 12/1/1999 Abstract CSPP provides the guidance necessary to develop compliant Common Criteria protection profiles for near-term, achievable, security baselines using commercial off-the-shelf (COTS) information technology. CSPP accomplishes this purpose by:--describing a largely policy-neutral, notional information system in the format of a protection profile (PP); --specifying a subset of the common criteria to be used in developing compliant protection profiles; --providing the basis for refining----policy-neutral guidance into specific policy requirements; and --system security threats, objectives, and requirements into a subset which is appropriate for a specific PP. CSPP provides the requirements necessary to specify needs for both stand-alone and distributed, multi-user information systems. This covers general-purpose operating systems, database management systems, and other applications. Authors Stoneburner, G. (NIST); Topic Maintenance; Planning Keywords Commercial Off-The-Shelf products; Common Criteria; COTS; networked information systems; operating systems; Protection Profile Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6462 Final NISTIR 6483 Randomness Testing of the Advanced Encryption Standard Finalist Candidates Pub Date 4/1/2000 Abstract Mars, RC6, Rijndael, Serpent and Twofish were selected as finalists for the Advanced Encryption Standard (AES). To evaluate the finalists’ suitability as random number generators, empirical statistical testing is commonly employed. Although it widely believed that these five algorithms are indeed random, randomness testing was conducted to show that there is empirical evidence supporting this belief. In this paper, NIST reports on the studies that were conducted on the finalists for the 192-bit key size and 256-bit key size. The results to date suggest that all five of the finalists appear to be random. Authors Soto, J. (NIST); Bassham III, L. E. (NIST); Topic Cryptography Keywords Advanced Encryption Standard (AES); random number generators; randomness; statistical tests Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6483 Final NISTIR 6529-A Common Biometric Exchange Formats Framework (CBEFF) Pub Date 4/5/2004 Abstract The Common Biometric Exchange Formats Framework (CBEFF) describes a set of data elements necessary to support biometric technologies in a common way. These data elements can be placed in a single file used to exchange biometric information between different system components or between systems. The result promotes interoperability of biometric-based application programs and systems developed by different vendors by allowing biometric data interchange. This specification is a revised (and augmented) version of the original CBEFF, the Common Biometric Exchange File Format, published as NISTIR 6529. In addition to the name change, which reflects more accurately the scope of the specification, NISTIR 6529-A incorporates new features such as a CBEFF nested structure in order to support multiple biometric data types (e.g., finger, face and voice) and/or multiple biometric data blocks of the same biometric type (e.g., finger biometric data blocks from more than one finger) within a CBEFF data structure, a Biometric Feature to further define the type of biometric data being placed in the file, a Validity Period for that data, an expanded definition of the Creator field which now specifies a Product Identifier, and Index Field associated with a specific instance of biometric reference data, a Challenge-Response field and a Payload field. NISTIR 6529-A also defines two new CBEFF Formats, biometric data objects for use within smart cards and other tokens and a simple root header for use in domains where more than one Patron Format, simple or nested, may be encountered. Authors Podio, F. L. (NIST); Dunn, J. S. (Department of Defense); Reinert, L. (Department of Defense); Tilton, C. J. (SAFLINK Corp.); Struif, B. (Fraunhofer SIT); Herr, F. (The Biometric Foundation); Russell, J. (Russell Technology); Collier, M. P. (The Biometric Foundation); Jerde, M. (Identity Technology Partners); O'Gorman, L. (Avaya Inc.); Wirtz, B. (Infineon Technologies AG); Topic Biometrics Keywords biometrics; biometric data format; biometric data elements; biometric data exchange; biometric technologies; data interchange; interoperability, nested structure. Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6529-A Cloudburst Security, LLC Page 51 of 77 http://www.cloudburstsecurity.com
  • 52. Status Title Series Pub# Final NISTIR NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title 6887 2003 Edition Government Smart Card Interoperability Specification, Version 2.1 Pub Date 7/16/2003 Abstract This Government Smart Card Interoperability Specification (GSC-IS) provides solutions to a number of the interoperability challenges associated with smart card technology. The original version of the GSC-IS (version 1.0, August 2000) was developed by the GSC Interoperability Committee led by the General Services Administration (GSA) and the National Institute of Standards and Technology (NIST), in association with the GSA Smart Access Common Identification Card contract. Authors Schwarzhoff, T. (NIST); Dray Jr., J. F. (NIST); Wack, J. P. (NIST); Dalci, E. (NIST); Goldfine, A. H. (NIST); Iorga, M. (NIST); Topic Biometrics; Planning; Services & Acquisitions; Smart Cards Keywords government smart card program; smart access common identification card contract; smart card; smart card interoperability Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6887 Final NISTIR 6981 Policy Expression and Enforcement for Handheld Devices Pub Date 4/1/2003 Abstract The use of mobile handheld devices, such as Personal Digital Assistants (PDAs) and tablet computers, within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but instead have become indispensable tools that offer competitive business advantages for the mobile workforce. While providing productivity benefits, the ability of these devices to store and transmit corporate information through both wired and wireless networks poses potential risks to an organization’s security. This paper describes a framework for managing user privileges on handheld devices. The approach is aimed at assisting enterprise security officers in administering and enforcing group and individual security policies for PDAs, and helping constrain users to comply automatically with their organization’s security policy. Details of a proof-of-concept implementation of the framework are also provided. Authors Jansen, W. (NIST); Karygiannis, A. T. (NIST); Korolev, V. (NIST); Gavrila, S. I. (NIST); Iorga, M. (NIST); Topic Audit & Accountability; Incident Response; Planning; Risk Assessment Keywords digital certificates; handheld devices; PDA; Personal Digital Assistant; security policy; trust management Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6981 Final NISTIR 6985 COTS Security Protection Profile - Operating Systems (CSPP-OS) (Worked Example Applying Guidance of NISTIR-6462, CSPP) Version 1.0 Pub Date 4/1/2003 Abstract CSPP-OS provides a worked example of the guidance in NISTIR-6462 for the development of Common Criteria Protection Profiles for commercial off the shelf (COTS) information technology. The intended audience consists of those individuals and organizations in both government and private sectors who are tasked with the responsibility to develop or review Protection Profiles. This document is presented as a protection profile, followed by a rationale that is structured as a separate document. This format was selected to facilitate using this guidance as a template for the development of Protection Profiles. Authors Stoneburner, G. (NIST); Topic Maintenance; Planning Keywords Commercial Off-The-Shelf products; Common Criteria; COTS; operating systems; Protection Profile Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-6985 Final NISTIR 7007 An Overview of Issues in Testing Intrusion Detection Systems Pub Date 7/11/2003 Abstract While intrusion detection systems are becoming ubiquitous defenses in today's networks, currently we have no comprehensive and scientifically rigorous methodology to test the effectiveness of these systems. This paper explores the types of performance measurements that are desired and that have been used in the past. We review many past evaluations that have been designed to assess these metrics. We also discuss the hurdles that have blocked successful measurements in this area and present suggestions for research directed toward improving our measurement capabilities. Authors Mell, P. M. (NIST); Hu, V. (NIST); Lippmann, R. (MIT Lincoln Laboratory); Haines, J. (MIT Lincoln Laboratory); Zissman, M. (MIT Lincoln Laboratory); Topic Research Keywords IDS performance measurement methodology, intrusion detection system (IDS), quantitative testing of IDSs Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7007 Final NISTIR Pub Date Cloudburst Security, LLC 7030 Picture Password: A Visual Login Technique for Mobile Devices 7/1/2003 Page 52 of 77 http://www.cloudburstsecurity.com
  • 53. Status Abstract Series Pub# Final NISTIR 7030 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Adequate user authentication is a persistent problem, particularly with handheld devices, which tend to be highly personal and at the fringes of an organization's influence. Yet, these devices are being used increasingly in corporate settings where they pose a security risk, not only by containing sensitive information, but also by providing the means to access such information over wireless network interfaces. User authentication is the first line of defense against a lost or stolen PDA. However, motivating users to enable simple PIN or password mechanisms and periodically update their authentication information is a constant struggle. This paper describes a means to authenticate a user to a PDA using a visual login technique called Picture Password. The underlying rationale is that a method for login based on visual image selection is an easy and natural way for users to authenticate, removing the most serious barriers to users' compliance with corporate policy. While the technique was designed specifically for handheld devices, it is also suitable for notebooks, workstations, and other computational devices. Authors Jansen, W. (NIST); Gavrila, S. I. (NIST); Korolev, V. (NIST); Ayers, R. P. (NIST); Swanstrom, R. (NIST); Topic Authentication Keywords authentication; handheld devices; mobile devices; PDA; Personal Digital Assistant; visual login Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7030 Final NISTIR 7046 A Framework for Multi-mode Authentication: Overview and Implementation Guide Pub Date 8/1/2003 Abstract The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks to an organization's security. Enabling adequate user authentication is the first line of defense against unauthorized use of a lost or stolen handheld device. Multiple modes of authentication increase the work factor needed to attack a device, however, few devices support more than one mode, usually password-based authentication. This report describes a general Multi-mode Authentication Framework (MAF) for applying organizational security policies, organized into distinct policy contexts known as echelons, among which a user may transition. The approach is aimed at helping users easily comply with their organization's security policy, yet be able to exercise a significant amount of flexibility and discretion. The design of the framework allows various types of authentication technologies to be incorporated readily and provides a simple interface for supporting different types policy enforcement mechanisms. Details of the implementation of the framework are provided, as well as two example authentications mechanisms. Authors Jansen, W. (NIST); Korolev, V. (NIST); Gavrila, S. I. (NIST); Heute, T. (NIST); Séveillac, C. (Amadeus); Topic Authentication; Communications & Wireless; Cryptography Keywords authentication; MAF; mobile devices; Multi-mode Authentication Framework; PDA; Personal Digital Assistant; security policy Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7046 Final NISTIR 7056 Card Technology Developments and Gap Analysis Interagency Report Pub Date 3/1/2004 Abstract This Card Technology Developments and Gap Analysis Interagency Report (IR) provides information regarding current technical capabilities and limitations of storage and processor cards, current user requirements for individual and integrated technologies, and major impediments to technology exploitation. The report also identifies existing standards governing card technologies. Authors Barker, W. C. (NIST); Howard, D. (Booz Allen Hamilton); Grance, T. (NIST); Eyuboglu, L. (Booz Allen Hamilton); Topic Biometrics; Research; Smart Cards Keywords access cards; identification cards; smart cards; storage cards Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7056 Title Final NISTIR 7100 PDA Forensic Tools: an Overview and Analysis Pub Date 8/1/2004 Abstract Adequate user authentication is a persistent problem, particularly with mobile devices such as Personal Digital Assistants (PDAs), which tend to be highly personal and at the fringes of an organization's influence. Yet these devices are being used increasingly in military and government agencies, hospitals, and other business settings, where they pose a risk to security and privacy, not only from sensitive information they may contain, but also from the means they typically offer to access such information over wireless networks. User authentication is the first line of defense for a mobile device that falls into the hands of an unauthorized individual. However, motivating users to enable simple PIN or password mechanisms and periodically update their authentication information is difficult at best. This paper describes a general-purpose mechanism for authenticating users through image selection. The underlying rationale is that image recall is an easy and natural way for users to authenticate, removing a serious barrier to users' compliance with corporate policy. The approach described distinguishes itself from other attempts in this area in several ways, including style-dependent image selection, password reuse, and embedded salting, which collectively overcome a number of problems in employing knowledge-based authentication on mobile devices. Authors Ayers, R. P. (NIST); Jansen, W. (NIST); Topic Forensics; Incident Response; Services & Acquisitions Keywords computer forensics; forensic software; forensic toolkits; PDA; Personal Digital Assistant Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7100 Final NISTIR Pub Date Cloudburst Security, LLC 7111 Computer Security Division 2003 Annual Report 4/30/2004 Page 53 of 77 http://www.cloudburstsecurity.com
  • 54. Status Abstract Series Pub# Final NISTIR 7111 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during the Fiscal Year 2003. It discusses all projects and programs within the Division, staff highlights, and publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology (IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of information technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the Federal Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of 2002. Beyond the role to serve the Federal Agencies under FISMA, CSD standards and guidelines are often voluntarily used by U.S. industry, global industry, and foreign governments as sources of information and direction for securing information systems. CSD's research also contributes to securing the Nation's critical infrastructure systems. Moreover, the Division has an active role in both national and international standards organizations in promoting the interests of security and U.S. industry. Authors Brewer, T. L. (NIST); Topic Annual Reports Keywords computer security; computer security awareness;computer security division; computer security guidance; computer security research; cryptographic standards; cyber security; FISMA; IT security; security testing and metrics Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the Previous Year Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7111 Final NISTIR 7200 Proximity Beacons and Mobile Device Authentication: an Overview and Implementation Pub Date 6/1/2005 Abstract The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks to an organization's security by the information they contain or can access remotely. Enabling adequate user authentication is the first line of defense against unauthorized use of an unattended, lost, or stolen handheld device. This report describes an innovative type of authentication mechanism that relies on the presence of a signal from a wireless beacon for access to be granted. Such proximity beacons can be either organizational or personal oriented, and require only that handheld devices support a common standard wireless interface for Personal Area Network (PAN) communications, such as Bluetooth. Details of the design and implementation for both personal and organizational proximity beacons are provided. Authors Jansen, W. (NIST); Gavrila, S. I. (NIST); Korolev, V. (NIST); Topic Authentication; Research Keywords authentication; Bluetooth; mobile devices; MAF; Multi-mode Authentication Framework; organizational beacon; PAN; Personal Area Network; personal beacon; proximity beacon Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7200 Final NISTIR 7206 Smart Cards and Mobile Device Authentication: an Overview and Implementation Pub Date 7/1/2005 Abstract The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks to an organization's security by the information they contain or can access remotely. Enabling adequate user authentication is the first line of defense against unauthorized use of an unattended, lost, or stolen handheld device. Smart cards have long been the choice of authentication mechanism for many organizations; however, few handheld devices easily support readers for standard-size smart cards. This report describes two novel types of smart cards that use standard interfaces supported by handheld devices, avoiding use of the more cumbersome standard-size smart card readers. These solutions are aimed at helping organization apply smart cards for authentication and other security services. Details of the design and implementation are provided. Authors Jansen, W. (NIST); Gavrila, S. I. (NIST); Séveillac, C. (Amadeus); Korolev, V. (NIST); Topic Authentication; Biometrics; Communications & Wireless; Cryptography; Smart Cards Keywords authentication; Bluetooth; mobile devices; MAF; Multi-mode Authentication Framework; smart cards; Smart Multi-Media Card; SMMC Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7206 Final NISTIR Pub Date Cloudburst Security, LLC 7219 Computer Security Division 2004 Annual Report 4/15/2005 Page 54 of 77 http://www.cloudburstsecurity.com
  • 55. Status Abstract Series Pub# Final NISTIR 7219 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during Fiscal Year 2004. It discusses all projects and programs within the Division, staff highlights, and publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology, initially focused principally on mainframe computers, to now encompass today's wide gamut of information technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the Federal Information Security Management Act of 2002 (FIMSA) and the Cyber Security Research and Development Act of 2002. Beyond the role to serve the Federal agencies under FISMA, CSD standards and guidelines are often voluntarily used by U.S. industry, global industry, and foreign governments as sources of information and direction for securing information systems. CSD's research also contributes to securing the nation s critical infrastructure systems. Moreover, the Division has an active role in both national and international standards organizations in promoting the interests of security and U.S. industry. Authors Brewer, T. L. (NIST); Topic Annual Reports Keywords computer security; computer security awareness;computer security division; computer security guidance; computer security research; cryptographic standards; cyber security; FISMA; IT security; security testing and metrics Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the Previous Year Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7219 Final NISTIR 7224 4th Annual PKI R&D Workshop "Multiple Paths to Trust" Proceedings Pub Date 10/5/2005 Abstract NIST hosted the fourth annual Public Key Infrastructure (PKI) Research Workshop on April 19-21, 2005. The two and a half day event brought together PKI experts from academia, industry, and government to explore the remaining challenges in deploying public key authentication and authorization technologies. This proceedings includes the 17 refereed papers, and captures the essence of the six panels and interaction at the workshop. The workshop also included a work-in-progress session and a birds-of-a-feather session during the evenings at the workshop hotel. Attendees included presenters from the United Kingdom, Canada, New Zealand, and Japan. Due to the success of this event, a fifth workshop is planned for April 4-6, 2006. Authors Neuman, C. (University of Southern California); Hastings, N. E. (NIST); Polk, W. T. (NIST); Topic Conferences & Workshops; PKI; Research Keywords authentication; Certificate Authority (CA); interoperability; Public Key Cryptography (PKC); Public Key Infrastructure (PKI); security; signatures; trust mechanisms; validation Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7224 Final NISTIR 7250 Cell Phone Forensic Tools: an Overview and Analysis Pub Date 10/19/2005 Abstract Cell phones and other handheld devices incorporating cell phone capabilities (e.g., Personal Digital Assistant (PDA) phones) are ubiquitous. Rather than just placing calls, certain phones allow users to perform additional tasks such as SMS (Short Message Service) messaging, MultiMedia Messaging Service (MMS) messaging, IM (Instant Messaging), electronic mail, Web browsing, and basic PIM (Personal Information Management) applications (e.g., phone and date book). PDA phones, often referred to as smart phones, provide users with the combined capabilities of both a cell phone and a PDA. In addition to network services and basic PIM applications, one can manage more extensive appointment and contact information, review electronic documents, give a presentation, and perform other tasks. All but the most basic phones provide individuals with some ability to load additional applications, store and process personal and sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As digital technology evolves, the capabilities of these devices continue to improve rapidly. When cell phones or other cellular devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of information present on the device. This report gives an overview of current forensic software, designed for acquisition, examination, and reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations. Authors Ayers, R. P. (NIST); Jansen, W. (NIST); Cilleros, N. (Logware Informatique); Daniellou, R. (Infineon Technologies AG); Topic Forensics; Incident Response; Services & Acquisitions Keywords cell phone forensics; cell phones; computer forensics; mobile devices Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7250 Final NISTIR 7275 Rev. 4 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 Pub Date 9/30/2011 Abstract This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and scoring. The specification also defines a data model and format for storing results of security guidance or checklist testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices. Authors Waltermire, D. A. (NIST); Schmidt, C. (The MITRE Corporation); Scarfone, K. A. (Scarfone Cybersecurity); Ziring, N. (Department of Defense); Cloudburst Security, LLC Page 55 of 77 http://www.cloudburstsecurity.com
  • 56. Status Topic Series Pub# Final NISTIR 7275 Rev. 4 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Audit & Accountability; Maintenance; Security Automation Family Audit & Accountability; Configuration Management; Maintenance Keywords benchmarks; checklists; eXtensible Configuration Checklist Description Format; FISMA; security controls; vulnerabilities; XCCDF Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-Rev.%204 Final NISTIR 7275 Rev. 3 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4 Pub Date 1/1/2008 Abstract This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of security guidance or checklist compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices. Authors Ziring, N. (Department of Defense); Quinn, S. D. (NIST); Topic Audit & Accountability; Maintenance; Security Automation Family Audit & Accountability; Configuration Management; Maintenance Keywords benchmarks; checklists; eXtensible Configuration Checklist Description Format; FISMA; security controls; vulnerabilities; XCCDF Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7275-Rev.%203 Final NISTIR 7284 Personal Identity Verification Card Management Report Pub Date 1/6/2006 Abstract NIST Special Publication 800-73 (http://piv.nist.gov) provides technical specifications for Personal Identity Verification (PIV) cards. However, it does not contain a complete card management specification for PIV systems. This Report provides an overview of card management systems, identifies generic card management requirements, and considers some technical approaches to filling the existing gaps in PIV card management. The primary guiding principle in selecting technical approaches for consideration is that they require no changes to the existing PIV specifications. Authors Dray, J. F. (NIST); Corcoran, D. (Identity Alliance); Topic Audit & Accountability; Awareness & Training; Biometrics; Maintenance; Personal Identity Verification (PIV); Planning; Services & Acquisitions; Smart Cards Keywords authentication; card management systems; Homeland Security Presidential Directive 12; Personal Identity Verification; PIV; smart cards Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7284 Final NISTIR 7285 Computer Security Division 2005 Annual Report Pub Date 2/1/2006 Abstract This report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during the Fiscal Year 2005. It discusses all projects and programs within the Division, staff highlights, and publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology (IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of information technology devices. CSD's important responsibilities were re-affirmed by Congress with passage of the Federal Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of 2002. Beyond the role to serve the Federal Agencies under FISMA, CSD standards and guidelines are often voluntarily used by U.S. industry, global industry, and foreign governments as sources of information and direction for securing information systems. CSD's research also contributes to securing the nation?s critical infrastructure systems. Moreover, the Division has an active role in both national and international standards organizations in promoting the interests of security and U.S. industry. Authors Brewer, T. L. (NIST); Scholl, M. A. (NIST); Topic Annual Reports Keywords annual report; computer security; computer security awareness; Computer Security Division; computer security guidance; computer security research; cryptographic standards; cyber security; IT security; security testing and metrics Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the Previous Year Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7285 Final NISTIR Pub Date Cloudburst Security, LLC 7290 Fingerprint Identification and Mobile Handheld Devices: An Overview and Implementation 3/1/2006 Page 56 of 77 http://www.cloudburstsecurity.com
  • 57. Status Abstract Series Pub# Final NISTIR 7290 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The use of mobile handheld devices within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but have instead become indispensable tools that offer competitive business advantages for the mobile workforce. While these devices provide productivity benefits, they also pose new risks to an organization’s security by the information they contain or can access remotely. Enabling adequate user authentication is the first line of defense against unauthorized use of an unattended, lost, or stolen handheld device. This report describes using fingerprint identification on handheld devices. Two types of solutions are described: one that uses the computational capabilities of the handheld device to authenticate a user’s fingerprints, the other that uses the computational capabilities of a specialized processor to offload processing by the handheld device. Details of the design and implementation of both solutions are provided. Authors Jansen, W. (NIST); Daniellou, R. (Infineon Technologies AG); Cilleros, N. (Logware Informatique); Topic Authentication; Biometrics Keywords authentication; biometrics; fingerprint identification; mobile devices Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7290 Final NISTIR 7298 Rev. 2 Glossary of Key Information Security Terms Pub Date 5/31/2013 Abstract The National Institute of Standards and Technology (NIST) has received numerous requests to provide a summary glossary for our publications and other relevant sources, and to make the glossary available to practitioners. As a result of these requests, this glossary of common security terms has been extracted from NIST Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, NIST Interagency Reports (NISTIRs), and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009). This glossary includes most of the terms in the NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009. This glossary provides a central resource of terms and definitions most commonly used in NIST information security publications and in CNSS information assurance publications. For a given term, we do not include all definitions in NIST documents – especially not from the older NIST publications. Since draft documents are not stable, we do not refer to terms/definitions in them. Each entry in the glossary points to one or more source NIST publications, and/or CNSSI-4009, and/or supplemental sources where appropriate. The NIST publications referenced are the most recent versions of those publications (as of the date of this document). Authors Kissel, R. L. (NIST); Topic General IT Security Keywords Cyber Security; Definitions; Glossary; Information Assurance; Information Security; Terms Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7298 Final NISTIR 7313 5th Annual PKI R&D Workshop "Making PKI Easy to Use" Proceedings Pub Date 6/1/2006 Abstract NIST hosted the fifth annual Public Key Infrastructure (PKI) Research Workshop on April 4-6, 2006. The two and a half day event brought together PKI experts from academia, industry, and government to explore the remaining challenges in deploying public key authentication and authorization technologies. This proceedings includes the 7 refereed papers, and captures the essence of the keynote, four invited talks, five panels and interaction at the workshop. The workshop also included a work-in-progress session and, new this year, an informal rump session. Attendees included presenters from the USA, United Kingdom, Israel, Australia, Norway, Sweden, Germany and Canada. Due to the success of this event, a sixth workshop is planned for Spring 2007. Authors Polk, W. T. (NIST); Hastings, N. E. (NIST); Seamons, K. (Brigham Young University); Topic Conferences & Workshops; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards Family Access Control; Identification & Authentication; System & Services Acquisition Keywords authentication; Certificate Authority (CA); interoperability; Public Key Cryptography (PKC); Public Key Infrastructure (PKI); security; signatures; validation Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7313 Final NISTIR 7316 Assessment of Access Control Systems Pub Date 9/29/2006 Abstract Access control is perhaps the most basic aspect of computer security. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. In many systems access control takes the form of a simple password mechanism, but many require more sophisticated and complex control. In addition to the authentication mechanism (such as a password), access control is concerned with how authorizations are structured. In some cases, authorization may mirror the structure of the organization, while in others it may be based on the sensitivity level of various documents and the security level of the user accessing those documents. This publication explains some of the most commonly used access control services available in information technology systems, their structure, where they are likely to be used, and advantages and disadvantages of each. Authors Hu, V. C. (NIST); Ferraiolo, D. (NIST); Kuhn, D. R. (NIST); Topic Audit & Accountability; Planning; Risk Assessment Keywords access control; authentication; authorization; Discretionary Access Control; Non-Discretionary Access Control; RBAC; Role-Based Access Control; Rule-Based Access Control; security metrics; XML-Based Access Control Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Cloudburst Security, LLC Page 57 of 77 http://www.cloudburstsecurity.com
  • 58. NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Status Series Pub# Link Final NISTIR 7316 Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7316 Title Draft NISTIR 7328 Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems Pub Date 9/29/2007 Abstract This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Authors Johnson, A. (NIST); Toth, P. (NIST); Topic Certification & Accreditation (C&A) Family Certification, Accreditation & Security Assessments Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7328 Final NISTIR 7337 Personal Identity Verification Demonstration Summary Pub Date 8/31/2006 Abstract This paper provides a summary of the NIST Personal Identity Verification (PIV) Demonstration. The PIV Demonstration took place from May 15 to June 14, 2006. Forty-four companies voluntarily participated through a Cooperative Research and Development Agreement (CRADA). The purpose of the demonstration was to show proof of concept and interoperability demonstrations of commercially available products that support FIPS 201 and the accompanying Special Publications. The results are summarized by product category. Authors McCallister, E. (NIST); Ferraiolo, H. (NIST); Topic Personal Identity Verification (PIV) Keywords CRADA; Cooperative Research and Development Agreement; demonstration project; FIPS 201; Personal Identity Verification; PIV Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7337 Final NISTIR 7358 Program Review for Information Security Management Assistance (PRISMA) Pub Date 1/1/2007 Abstract Several sources of guidance, policies, standards and legislative acts provide many requirements for the federal agencies when protecting entrusted information. Various assessments, reviews, and inspections are an outcome of these information security requirements to monitor federal agency compliance. The manner in which these monitoring approaches are implemented may be very different, impacting agency resource constraints. The Federal Information Security Management Act (FISMA) of 2002 charged NIST to provide technical assistance to agencies regarding compliance with the standards and guidelines developed for securing information systems, as well as information security policies, procedures, and practices. This Interagency Report provides an overview of the NIST Program Review for Information Security Management Assistance (PRISMA) methodology. PRISMA is a tool developed and implemented by NIST for reviewing the complex information security requirements and posture of a federal program or agency. This report is provided as a framework for instructional purposes as well as to assist information security personnel, internal reviewers, auditors, and agency Inspector General (IG) staff personnel. Authors Bowen, P. (NIST); Kissel, R. L. (NIST); Topic Audit & Accountability; General IT Security; Planning Family Audit & Accountability; Certification, Accreditation & Security Assessments; Planning Keywords action plan; evaluation; inspections; maturity level; PRISMA; security issues; security reviews Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7358 Final NISTIR Pub Date Cloudburst Security, LLC 7359 Information Security Guide for Government Executives 1/1/2007 Page 58 of 77 http://www.cloudburstsecurity.com
  • 59. Status Abstract Series Pub# Final NISTIR 7359 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Information Security Guide for Government Executives provides a broad overview of information security program concepts to assist senior leaders in understanding how to oversee and support the development and implementation of information security programs. Management is responsible for: (1) Establishing the organization's information security program; (2) Setting program goals and priorities that support the mission of the organization; and (3) Making sure resources are available to support the security program and make it successful. Senior leadership commitment to security is more important now than ever before. Studies have shown that senior management's commitment to information security initiatives is the number one critical element that impacts an information security program's success. Meeting this need necessitates senior leadership to focus on effective information security governance and support which requires integration of security into the strategic and daily operations of an organization. When considering this challenge, five key security questions emerge for the executive: (1) What are the information security laws, regulations, standards, and guidance that I need to understand to build an effective security program? (2) What are the key activities to build an effective security program? (3) Why do I need to invest in security? (4) Where do I need to focus my attention in accomplishing critical security goals? (5) Where can I learn more to assist me in evaluating the effectiveness of my security program? This guide provides the answers to those questions. Authors Bowen, P. (NIST); Chew, E. (NIST); Hash, J. (NIST); Topic Awareness & Training; General IT Security; Planning Family Awareness & Training; Planning Keywords information security; information security program elements; security laws; security program; security regulations and standards Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7359 Final NISTIR 7387 Cell Phone Forensic Tools: an Overview and Analysis Update Pub Date 3/21/2007 Abstract Cell phones and other handheld devices incorporating cell phone capabilities (e.g., Personal Digital Assistant (PDA) phones) are ubiquitous. Rather than just placing calls, most phones allow users to perform additional tasks, including Short Message Service (SMS) messaging, MultiMedia Messaging Service (MMS) messaging, Instant Messaging (IM), electronic mail, Web browsing, and basic Personal Information Management (PIM) applications (e.g., phone and date book). PDA phones, often referred to as smart phones, provide users with the combined capabilities of both a cell phone and a PDA. In addition to network services and basic PIM applications, one can manage more extensive appointment and contact information, review electronic documents, give a presentation, and perform other tasks. All but the most basic phones provide individuals with some ability to load additional applications, store and process personal and sensitive information independently of a desktop or notebook computer, and optionally synchronize the results at some later time. As digital technology evolves, the existing capabilities of these devices continue to improve rapidly. When cell phones or other cellular devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of information present on the device. This report provides an overview on current tools designed for acquisition, examination, and reporting of data discovered on cellular handheld devices, and an understanding of their capabilities and limitations. It is a follow-on to NISTIR 7250, "Cell Phone Forensic Tools: an Overview and Analysis", which focuses on tools that have undergone significant updates since that publication or were not covered previously. Authors Ayers, R. P. (NIST); Jansen, W. (NIST); Delaitre, A. M. (NIST); Moenner, L. (NIST); Topic Communications & Wireless; Forensics; Incident Response; Research; Services & Acquisitions Family Incident Response; Planning; System & Services Acquisition Keywords cell phones; computer forensics; handheld devices; mobile devices Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7387 Final NISTIR 7399 Computer Security Division 2006 Annual Report Pub Date 3/21/2007 Abstract This report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during the Fiscal Year 2006. It discusses all projects and programs within the Division, staff highlights, and publications. For many years, the Computer Security Division (CSD) has made great contributions to help secure the Nation's sensitive information and information systems. CSD's work has paralleled the evolution of information technology (IT), initially focused principally on mainframe computers, to now encompass today's wide gamut of information technology devices. CSD?s important responsibilities were re-affirmed by Congress with passage of the Federal Information Security Management Act (FIMSA) of 2002 and the Cyber Security Research and Development Act of 2002. Beyond the role to serve the Federal agencies under FISMA, CSD standards and guidelines are often voluntarily used by U.S. industry, global industry, and foreign governments as sources of information and direction for securing information systems. CSD's research also contributes to securing the Nation's critical infrastructure systems. Moreover, CSD has an active role in both national and international standards organizations in promoting the interests of security and U.S. industry. Authors Brewer, T. L. (NIST); Stine, K. M. (NIST); Topic Annual Reports Keywords annual report; computer security; computer security awareness; Computer Security Division; computer security guidance; computer security research; cryptographic standards; cyber security; IT security; security testing and metrics Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the Previous Year Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7399 Cloudburst Security, LLC Page 59 of 77 http://www.cloudburstsecurity.com
  • 60. Status Title Series Pub# Final NISTIR 7427 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title 6th Annual PKI R&D Workshop "Applications-Driven PKI" Proceedings Pub Date 10/9/2007 Abstract NIST hosted the sixth Annual Public Key Infrastructure (PKI) Research Workshop on April 17-19, 2007. The two and a half day event brought together PKI experts from academia, industry, and government had a particular interest in novel approaches to simplifying the use and management of X.509 digital certificates, both within and across enterprises. This proceedings includes the 9 refereed papers, and captures the essence of the keynote, four panels and interaction at the workshop. The workshop also included a birds-of-a-feather session and an informal rump session. Attendees included presenters from the USA, Canada, Brazil, Czech Republic, Israel, Japan, Singapore, Uganda, UK, and Japan. Due to the success of this event, a seventh workshop is planned for Spring 2008. Authors Polk, W. T. (NIST); Seamons, K. (Brigham Young University); Topic Conferences & Workshops; Digital Signatures; Personal Identity Verification (PIV); PKI; Services & Acquisitions; Smart Cards Keywords authentication; Certificate Authority (CA); interoperability; Public Key Cryptography (PKC); Public Key Infrastructure (PKI); security; signatures; validation Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7427 Final NISTIR 7435 The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems Pub Date 9/4/2007 Abstract The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The National Vulnerability Database (NVD) provides specific CVSS scores for virtually all publicly known vulnerabilities. Federal agencies can use the Federal Information Processing Standards (FIPS) 199 security categories with the NVD CVSS scores to obtain impact scores that are tailored to each agency's environment. CVSS consists of three groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0.0 to 10.0, and a vector, a compressed textual representation that reflects the values used to derive the score. The Base group represents the intrinsic qualities of a vulnerability. The Temporal group reflects the characteristics of a vulnerability that change over time. The Environmental group represents the characteristics of a vulnerability that are unique to any user's environment. CVSS enables IT managers, vulnerability bulletin providers, security vendors, application vendors and researchers to all benefit by adopting this common language of scoring IT vulnerabilities. Authors Mell, P. M. (NIST); Scarfone, K. A. (NIST); Romanosky, S. (Carnegie Mellon University); Topic General IT Security; Security Automation; Viruses & Malware Family Configuration Management Keywords Common Vulnerability Scoring System; CVSS; National Vulnerability Database; NVD; security metrics; vulnerability scoring Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7435 Final NISTIR 7442 Computer Security Division 2007 Annual Report Pub Date 4/1/2008 Abstract Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a component of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects information systems against threats to the confidentiality, integrity, and availability of information and services. During Fiscal Year 2007 (FY 2007), CSD successfully responded to numerous challenges and opportunities in fulfilling that mission. Through CSD s diverse research agenda and engagement in many national priority initiatives, high-quality, cost-effective security and privacy mechanisms were developed and applied that improved information security across the federal government and the greater information security community. This annual report highlights the research agenda and activities in which CSD was engaged during FY 2007. Authors Stine, K. M. (NIST); Wilson, M. (NIST); Topic Annual Reports Keywords annual report; Computer Security Division; projects; highlights Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the Previous Year Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7442 Final NISTIR Pub Date Cloudburst Security, LLC 7452 Secure Biometric Match-on-Card Feasibility Report 11/30/2007 Page 60 of 77 http://www.cloudburstsecurity.com
  • 61. Status Abstract Series Pub# Final NISTIR 7452 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title FIPS 201, "Personal Identity Verification (PIV) of Federal Employees and Contractors," and its associated special publications define a method to perform biometric match-off-card authentication of a PIV cardholder when the PIV card is inserted into a contact smart card reader. Today, many smart cards, however, implement match-on-card technologies and are desiged to perform cardholder authentication using contactless interface. Contactless match-on-card operation requires additional security measures to ensure the transaction data is encrypted and can be securely transmitted, which can impact performance. NIST conducted the Secure Biometric Match-on-Card (SBMOC) feasibility study to understand the effects of security on performance. This report describes the tests that were conducted to obtain timing metrics for the SBMOC feasibility study and provides a summary of the test results. This feasibility study also allows NIST to explore smart card technology advancements for possible extension of the FIPS 201 and / or other smart card standards. Authors Cooper, D. A. (NIST); Dang, H. (Booz Allen Hamilton); Lee, P. (Identity Technology Partners); MacGregor, W. I. (NIST); Mehta, K. (Mehta, Inc.); Topic Authentication; Biometrics; Communications & Wireless; Cryptography; Personal Identity Verification (PIV); PKI; Smart Cards Family Access Control; System & Information Integrity Keywords biometrics; feasibility study; FIPS 201; Match-on-Card; Personal Identity Verification; PIV Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7452 Final NISTIR 7497 Security Architecture Design Process for Health Information Exchanges (HIEs) Pub Date 9/30/2010 Abstract The purpose of this publication is to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that demonstrates how these practices can be applied to the development of HIEs. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information. Authors Scholl, M. A. (NIST); Stine, K. M. (NIST); Lin, K. (Booz Allen Hamilton); Steinberg, D. I. (Booz Allen Hamilton); Topic Planning; Research; Risk Assessment; Services & Acquisitions Family Access Control; Planning; Risk Assessment; System & Services Acquisition Keywords Health Information Exchange; health IT; HIE; information security Legal Health Insurance Portability and Accountability Act (HIPAA)/Assure Health Information Privacy & Security Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7497 Final NISTIR 7502 The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities Pub Date 12/27/2008 Abstract The Common Configuration Scoring System (CCSS) is a set of measures of the severity of software security configuration issues. CCSS is derived from the Common Vulnerability Scoring System (CVSS), which was developed to measure the severity of vulnerabilities due to software flaws. CCSS can assist organizations in making sound decisions as to how security configuration issues should be addressed and can provide data to be used in quantitative assessments of the overall security posture of a system. This report defines proposed measures for CCSS and equations to be used to combine the measures into severity scores for each configuration issue. The report also provides several examples of how CCSS measures and scores would be determined for a diverse set of security configuration issues. Authors Mell, P. M. (NIST); Scarfone, K. A. (G2, Inc.); Topic Risk Assessment; Security Automation Family Configuration Management; Risk Assessment Keywords security configuration; security measurement; vulnerability measurement; vulnerability scoring Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7502 Final NISTIR 7511 Rev. 3 Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements Pub Date 7/11/2013 Abstract This report defines the requirements and associated test procedures necessary for products to achieve one or more Security Content Automation Protocol (SCAP) validations. Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program (NVLAP). Authors Banghart, J. (NIST); Cook, M. (NIST); Quinn, S. D. (NIST); Waltermire, D. A. (NIST); Bove, A. (Secure Acuity); Topic Certification & Accreditation (C&A); Security Automation Family Certification, Accreditation & Security Assessments; System & Services Acquisition Keywords Security Content Automation Protocol (SCAP); SCAP derived test requirements (DTR); SCAP validated tools; SCAP validation Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7511-Rev.%203 Cloudburst Security, LLC Page 61 of 77 http://www.cloudburstsecurity.com
  • 62. Status Title Series Pub# Final NISTIR 7516 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Forensic Filtering of Cell Phone Protocols Pub Date 8/27/2008 Abstract Phone managers are non-forensic software tools designed to carry out a range of tasks for the user, such as reading and updating the contents of a phone, using one or more of the communications protocols supported by the phone. Phone managers are sometimes used by forensic investigators to recover data from a cell phone when no suitable forensic tool is available. While precautions can be taken to preserve the integrity of data on a cell phone, inherent risks exist. Applying a forensic filter to phone manager protocol exchanges with a device is proposed as a means to reduce risk. Authors Delaitre, A. M. (NIST); Jansen, W. (NIST); Topic Forensics; Research Family Audit & Accountability Keywords cell phones; computer forensics; phone managers; protocol filters Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7516 Title Final NISTIR 7536 Computer Security Division 2008 Annual Report Pub Date 3/16/2009 Abstract This annual report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during Fiscal Year 2008. It discusses all projects and programs within the Division, staff highlights, and publications. Authors O'Reilly, P. D. (NIST); Topic Annual Reports Keywords annual report; Computer Security Division; projects; highlights Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the Previous Year Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7536 Final NISTIR 7539 Symmetric Key Injection onto Smart Cards Pub Date 12/22/2008 Abstract This paper describes architectures for securely injecting secret keys onto smart cards. Specifically, this paper details key injection architectures based on the identity credentials available on the Personal Identify Verification (PIV) Card. The primary goal is to create additional opportunities for the use of the PIV Card in Physical Access Control Systems (PACS). There is significant interest in conducting a fast, accurate, and highly secured authentication transaction using symmetric keys in PACS environments. This paper identifies ways to load site specific symmetric keys onto a PIV Card after the card has been issued, which allows each smart card to share a unique secret key with each PACS with which it interacts. The paper presents four protocols that enable a Card Management System (CMS) to securely load site-specific PACS symmetric keys. Each protocol presents unique security characteristics and uses the PIV Card's card management key in different capacities. Authors Cooper, D. A. (NIST); MacGregor, W. I. (NIST); Topic Cryptography; Smart Cards Family Identification & Authentication Keywords card authentication key; cryptographic key management; FIPS 201; HSPD-12; PACS; Personal Identity Verification; Physcial Access Control Systems; PIV; smart cards Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7539 Final NISTIR 7559 Forensics Web Services (FWS) Pub Date 6/30/2010 Abstract Web services are currently a preferred way to architect and provide complex services. This complexity arises due to the composition of new services and dynamically invoking existing services. These compositions create service inter-dependencies that can be misused for monetary or other gains. When a misuse is reported, investigators have to navigate through a collection of logs to recreate the attack. In order to facilitate that task, we propose creating forensics web services (FWS) that would securely maintain transactional records between other web services. These secure records can be re-linked to reproduce the transactional history by an independent agency. In this report we show the necessary components of a forensic framework for web services and its success through a case study. Authors Singhal, A. (NIST); Gunestas, M. (George Mason University); Wijesekara, D. (George Mason University); Topic Forensics; General IT Security; Research Keywords accountable services; digital forensics; services oriented architecture; web services Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7559 Final NISTIR Pub Date Cloudburst Security, LLC 7564 Directions in Security Metrics Research 8/3/2009 Page 62 of 77 http://www.cloudburstsecurity.com
  • 63. Status Abstract Series Pub# Final NISTIR 7564 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title More than 100 years ago, Lord Kelvin insightfully observed that measurement is vital to deep knowledge and understanding in physical science. During the last few decades, researchers have made various attempts to develop measures and systems of measurement for computer security with varying degrees of success. This paper provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art. Authors Jansen, W. (NIST); Topic General IT Security; Research; Risk Assessment Family Risk Assessment Keywords computer security; security evaluation; security metrics Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7564 Title Final NISTIR 7581 System and Network Security Acronyms and Abbreviations Pub Date 9/30/2009 Abstract This report contains a list of selected acronyms and abbreviations for system and network security terms with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system and network security publications. Authors Scarfone, K. A. (NIST); Thompson, V. (Booz Allen Hamilton); Topic General IT Security Keywords network security; system security Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7581 Final NISTIR 7601 Framework for Emergency Response Official (ERO): Authentication and Authorization Infrastructure Pub Date 9/9/2010 Abstract This document describe a framework (with the acronym ERO-AA) for establishing an infrastructure for authentication and authorization of Emergency Response officials (ERO) who respond to various types of man-made and natural disasters. The population of individuals authenticated and authorized under ERO-AA infrastructure includes Federal Emergency Response Officials (FEROs), State/Local/Tribal/Private Sector Emergency Response Officials (SLTP-EROs) and the FEMA Disaster Reserve Workforce (DRW). The system supports the establishment, conveyance and validation of Identity Credentials (ICs), Attribute Credentials (ATs) and Deployment Authorization Credentials (DAs). Apart from enumeration of the types of EROs and their associated authority domains (called major players) and types of credentials, the conceptualization of the framework for ERO-AA infrastructure includes detailed description of various component services under three major service classes: Credentialing Service Class, Identity Verification and Attribute Validation Service Class and Trust Federation Service Class.The framework is predicated upon the use of trusted tokens capable of supporting biometric as well as secret key based identity authentication. Authors Chandramouli, R. (NIST); Schwarzhoff, T. (NIST); Topic Authentication Family Identification & Authentication Keywords authentication; authorization; emergency response officials; identity and attribute credentials; trusted tokens Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7601 Final NISTIR 7609 Cryptographic Key Management Workshop Summary June 8-9, 2009 Pub Date 1/8/2010 Abstract On June 8 and 9, 2009, NIST held a Cryptographic Key Management (CKM) Workshop at its Gaithersburg, Maryland, campus that attracted approximately 80 people attending the workshop in person, with another 75 participating through video conferencing, and an additional 36 participating via audio teleconferencing. A total of 36 speakers, including technical experts, security standards leaders, and experienced managers gave presentations on various aspects of CKM during the workshop. Two presentations were made remotely via audio teleconferencing facilities. This summary provides the highlights of workshop presentations organized both by major CKM topics and also by presenter. Authors Barker, E. B. (NIST); Branstad, D. K. (NIST); Chokhani, S. (CygnaCom Solutions, Inc.); Smid, M. E. (Orion Security Solutions); Topic Conferences & Workshops; Cryptography; PKI Keywords CKM; CKM System Design Framework; cryptographic key management; cryptographic security Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7609 Final NISTIR 7611 Use of ISO/IEC 24727 Pub Date 8/14/2009 Abstract This document describes the use of ISO/IEC 24727 in enabling client-applications to access identity credentials issued by different credential issuers. Authors Dang, H. (Booz Allen Hamilton); Ferraiolo, H. (NIST); MacGregor, W. I. (NIST); Mehta, K. (Booz Allen Hamilton); Schwarzhoff, T. (NIST); Topic Authentication; Awareness & Training; Biometrics; Cryptography; Digital Signatures; General IT Security; Personal Identity Verification (PIV); PKI; Planning; Research Family Access Control; Awareness & Training; Identification & Authentication; Planning Keywords authentication; HSPD-12; identity credentials; ISO/IEC 24727; Personal Identity Verification; PIV; smart card identity applications Cloudburst Security, LLC Page 63 of 77 http://www.cloudburstsecurity.com
  • 64. Status Legal Series Pub# Final NISTIR 7611 Final NISTIR 7617 Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7611 Mobile Forensic Reference Materials: a Methodology and Reification Pub Date 10/14/2009 Abstract This report concerns the theoretical and practical issues with automatically populating mobile devices with reference test data for use as reference materials in validation of forensic tools. It describes an application and data set developed to populate identity modules and highlights subtleties involved in the process. Intriguing results attained by recent versions of commonly-used forensic tools when used to recover the populated data are also discussed. The results indicate that reference materials can be used to identify a variety of inaccuracies that exist in present-day forensic tools. Authors Jansen, W. (NIST); Delaitre, A. M. (NIST); Topic Communications & Wireless; Forensics; Research Keywords computer forensics; forensic tool validation; mobile devices Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7617 Title Final NISTIR 7620 Status Report on the First Round of the SHA-3 Cryptographic Hash Algorithm Competition Pub Date 9/1/2009 Abstract The National Institute of Standards and Technology is in the process of selecting a new cryptographic hash algorithm through a public competition. The new hash algorithm will be referred to as “SHA-3” and will complement the SHA-2 hash algorithms currently specified in FIPS 180-3, Secure Hash Standard. In October, 2008, 64 candidate algorithms were submitted to NIST for consideration. Among these, 51 met the minimum acceptance criteria and were accepted as First-Round Candidates on Dec. 10, 2008, marking the beginning of the First Round of the SHA-3 cryptographic hash algorithm competition. This report describes the evaluation criteria and selection process, based on public feedback and internal review of the first-round candidates, and summarizes the 14 candidate algorithms announced on July 24, 2009 for moving forward to the second round of the competition. The 14 Second-Round Candidates are BLAKE, BLUE MIDNIGHT WISH, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. Authors Regenscheid, A. R. (NIST); Perlner, R. A. (NIST); Chang, S.-j. (NIST); Kelsey, J. M. (NIST); Nandi, M. (NIST); Paul, Souradyuti (NIST); Topic Cryptography Keywords cryptographic hash algorithm; cryptographic hash function; cryptography; SHA-3 Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7620 Final NISTIR 7621 Small Business Information Security: the Fundamentals Pub Date 10/1/2009 Abstract For some small businesses, the security of their information, systems, and networks might not be a high priority, but for their customers, employees, and trading partners it is very important. The term Small Enterprise (or Small Organization) is sometimes used for this same category of business or organization. A small enterprise/organization may also be a nonprofit organization. The size of a small business varies by type of business, but typically is a business or organization with up to 500 employees. In the United States, the number of small businesses totals to over 95% of all businesses. The small business community produces around 50% of our nation s Gross National Product (GNP) and creates around 50% of all new jobs in our country. Small businesses, therefore, are a very important part of our nation s economy. They are a significant part of our nation s critical economic and cyber infrastructure. Larger businesses in the United States have been actively pursuing information security with significant resources including technology, people, and budgets for some years now. As a result, they have become a much more difficult target for hackers and cyber criminals. Consequently, the hackers and cyber criminals are now focusing their unwanted attention on less secure small businesses. Therefore, it is important that each small business appropriately secure their information, systems, and networks. This Interagency Report (IR) will assist small business management to understand how to provide basic security for their information, systems, and networks. Authors Kissel, R. (NIST); Topic Awareness & Training; General IT Security; Planning Family Access Control; Awareness & Training; Configuration Management; Contingency Planning; Identification & Authentication; Media Protection; Personnel Security; Physical & Environmental Protection; Planning; System & Communication Protection; System & Information Integrity; System & Services Acquisition Keywords information security; small business Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7621 Final NISTIR 7622 Notional Supply Chain Risk Management Practices for Federal Information Systems Pub Date 10/16/2012 Abstract This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk to federal information systems. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain. Authors Boyens, J. (NIST); Paulsen, C. (NIST); Bartol, N. (Booz Allen Hamilton); Shankles, S. A. (Booz Allen Hamilton); Moorthy, R. (Hatha Systems); Cloudburst Security, LLC Page 64 of 77 http://www.cloudburstsecurity.com
  • 65. Status Topic Series Pub# Final NISTIR 7622 Title General IT Security; Services & Acquisitions System & Services Acquisition Family Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7622 Final NISTIR 7628 Guidelines for Smart Grid Cyber Security Pub Date 8/31/2010 Abstract Smart Grid technologies will introduce millions of new intelligent components to the electric grid that communicate in much more advanced ways (e.g., two-way communications, and wired and wireless communications) than in the past. This report is for individuals and organizations who will be addressing cyber security for Smart Grid systems. The privacy recommendations, the security requirements, and the supporting analyses that are included in this report may be used by strategists, designers, implementers, and operators of the Smart Grid, e.g., utilities, equipment manufacturers, regulators, as input to their risk assessment process and other tasks in the security lifecycle of a Smart Grid information system. This report focuses on specifying an analytical framework that may be useful to an organization. It is a baseline, and each organization must develop its own cyber security strategy for the Smart Grid. The information in this report serves as guidance to various organizations for assessing risk and selecting appropriate security requirements and privacy recommendations. Authors The Smart Grid Interoperability Panel–Cyber Security Working Group (); Topic Cyber-Physical Systems & Smart Grid; Risk Assessment Keywords cyber security; privacy; security requirements; smart grid Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628 Title Draft NISTIR 7628 Rev. 1 Guidelines for Smart Grid Cyber Security Pub Date 10/25/2013 Abstract This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an analytical framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization’s cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify. Authors The Smart Grid Interoperability Panel–Smart Grid Cybersecurity Committee (); Topic Cyber-Physical Systems & Smart Grid; Risk Assessment Keywords advanced metering infrastructure; architecture; cryptography; cybersecurity; electric grid; privacy; security requirements; smart grid Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7628r1 Final NISTIR 7653 Computer Security Division 2009 Annual Report Pub Date 6/25/2010 Abstract This annual report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during Fiscal Year 2009. It discusses all projects and programs within the Division, staff highlights, and publications. Authors O'Reilly, P. D. (NIST); Topic Annual Reports Keywords annual report; Computer Security Division; projects; highlights Legal Federal Information Security Management Act of 2002 (FISMA)/Annual Public Report on Activities Undertaken in the Previous Year Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7653 Final NISTIR 7657 A Report on the Privilege (Access) Management Workshop Pub Date 3/30/2010 Abstract This document is based on the discussions and conclusions of the Privilege (Access) Management Workshop held on 1-3 September, 2009 at the Gaithersburg, Maryland facilities of the National Institute of Standards and Technology (NIST), sponsored by NIST and the National Security Agency (NSA). This document includes additional material resulting from in scope comments made by workshop participants and the public during the review periods for this document. An overview of the workshop is available in the published proceedings of the workshop. Authors NIST/NSA Privilege (Access) Management Conference Collaboration Team (); Topic Conferences & Workshops Keywords access control; credential; eXtensible Access Control Markup Language; healthcare IT; Health Insurance Portability and Accountability Act; HIPAA; identity; privilege management; RAdAC; Risk-Adaptable Access Control; XACML Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7657 Final NISTIR Pub Date Cloudburst Security, LLC 7658 Guide to SIMfill Use and Development 2/24/2010 Page 65 of 77 http://www.cloudburstsecurity.com
  • 66. Status Abstract Series Pub# Final NISTIR 7658 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title SIMfill is a proof-of-concept, open source, application developed by NIST to populate identity modules with test data, as a way to assess the recovery capability of mobile forensic tools. An initial set of test data is also provided with SIMfill as a baseline for creating other test cases. This report describes the design and organization of SIMfill in sufficient detail to allow informed use and experimentation with the software and test data provided, including the option to modify and extend the program and data provided to meet specific needs. Authors Jansen, W. (NIST); Delaitre, A. M. (NIST); Topic Forensics; Research Family Incident Response Keywords computer forensics; reference materials; tool validation Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7658 Title Final NISTIR 7665 Proceedings of the Privilege Management Workshop, September 1-3, 2009 Pub Date 3/30/2010 Abstract Privilege management is large and complex, often the source of heated debate and opinion, and fraught with widely-understood, yet ill-defined terminology and concepts. The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) sponsored the first Privilege Management Workshop at NIST's main campus in Gaithersburg, Maryland, September 1-3, 2009. The workshop was attended by approximately 120 people representing Executive branch Federal agencies, the private sector, and academia. The primary goal of this first workshop was to bring together a wide spectrum of individuals representing differing viewpoints, use cases, and organizational needs with the intent to reach a common understanding of several facets of this important area. This includes reaching consensus on the definition of privilege management and other terminology; understanding and analyzing the strengths and weaknesses of current and proposed access control models; ascertaining the current state of the practice and future research directions in privilege management; and understanding and articulating the managerial, legal, and policy requirements associated with privilege management. Authors Durrant, S. A. (The MITRE Corporation); Brewer, T. (NIST); Sokol, A. W. (NIST); Topic Conferences & Workshops Keywords access control; eXtensible Access Control Markup Language; healthcare IT; Health Insurance Portability and Accountability Act; HIPAA; privilege management; RAdAC; Risk-Adaptable Access Control; XACML Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7665 Draft NISTIR 7669 Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements Pub Date 3/10/2010 Abstract describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products. Authors Banghart, J. (NIST); Quinn, S. D. (NIST); Waltermire, D. A. (NIST); Topic Certification & Accreditation (C&A) Keywords conformance testing; Open Vulnerability Assessment Language; OVAL; vulernabilities Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7669 Draft NISTIR 7670 Proposed Open Specifications for an Enterprise Remediation Automation Framework Pub Date 2/10/2011 Abstract The success of SCAP in automated system assessment has fostered research related to the development of similar open specifications in support of enterprise remediation. Enterprise remediation is focused on delivering capabilities that allow organizations to identify, describe and implement desired system changes across the enterprise. Remediation actions can include changes to the configuration of an operating system or application, installation of a software patch, or the installation or removal of applications and libraries. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements. This report is a product of ongoing collaboration between the National Institute of Standards and Technology (NIST), the US Department of Defense, and the MITRE Corporation. Participation from a broader community of interested parties is actively sought to help define, refine and mature proposed remediation standards. Authors Waltermire, D. A. (NIST); Johnson, C. (); Kerr, M. (); Wojcik, M. (); Wunder, J. (); Topic Audit & Accountability; General IT Security; Incident Response; Services & Acquisitions Family Audit & Accountability; Configuration Management; Incident Response Keywords security automation; Security Content Automation Protocol; SCAP; enterprise security Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Cloudburst Security, LLC http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7670 Page 66 of 77 http://www.cloudburstsecurity.com
  • 67. Status Title Series Pub# Final NISTIR 7676 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Maintaining and Using Key History on Personal Identity Verification (PIV) Cards Pub Date 6/18/2010 Abstract NIST Special Publication 800-73-3 introduces the ability to store retired Key Management Keys within the Personal Identity Verification (PIV) Card Application on a PIV Card. This paper complements SP 800-73-3 by providing some of the rationale for the design of the mechanism for storing retired Key Management Keys on PIV Cards and by providing suggestions to smart card vendors, PIV Card Issuers, and middleware developers on the use of the Key History mechanism. Authors Cooper, D. A. (NIST); Topic Cryptography; Personal Identity Verification (PIV); PKI; Smart Cards Family System & Communication Protection Keywords key management; Personal Identity Verification; PIV; smart cards Legal Homeland Security Presidential Directive-12 (HSPD-12)/Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Government to its Employees & Contractors Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7676 Final NISTIR 7692 Specification for the Open Checklist Interactive Language (OCIL) Version 2.0 Pub Date 4/7/2011 Abstract This report defines version 2.0 of the Open Checklist Interactive Language (OCIL). The intent of OCIL is to provide a standardized basis for expressing questionnaires and related information, such as answers to questions and final questionnaire results, so that the questionnaires can use a standardized, machine-readable approach to interacting with humans and using information stored during previous data collection efforts. OCIL documents are Extensible Markup Language (XML) based. This report defines and explains the requirements that IT products and OCIL documents asserting conformance with the OCIL 2.0 specification must meet. Authors Waltermire, D. A. (NIST); Scarfone, K. A. (G2, Inc.); Casipe, M. (The MITRE Corporation); Topic Audit & Accountability; Certification & Accreditation (C&A); Risk Assessment; Security Automation Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Risk Assessment Keywords assessment; OCIL; Open Checklist Interactive Language; questionnaire; SCAP; security automation; Security Content Automation Protocol; XML Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7692 Final NISTIR 7693 Specification for Asset Identification 1.1 Pub Date 6/17/2011 Abstract Asset identification plays an important role in an organization?s ability to quickly correlate different sets of information about assets. This specification provides the necessary constructs to uniquely identify assets based on known identifiers and/or known information about the assets. This specification describes the purpose of asset identification, a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a number of known use cases for asset identification. Authors Wunder, J. (The MITRE Corporation); Halbardier, A. M. (Booz Allen Hamilton); Waltermire, D. A. (NIST); Topic Audit & Accountability; Security Automation Family Audit & Accountability; Configuration Management Keywords asset identification; asset management; IT management Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7693 Final NISTIR 7694 Specification for Asset Reporting Format 1.1 Pub Date 6/21/2011 Abstract This specification describes the Asset Reporting Format (ARF), a data model for expressing the transport format of information about assets and the relationships between assets and reports. The standardized data model facilitates the reporting, correlating, and fusing of asset information throughout and between organizations. ARF is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications. The intent of ARF is to provide a uniform foundation for the expression of reporting results, fostering more widespread application of sound IT management practices. ARF can be used for any type of asset, not just IT assets. Authors Halbardier, A. M. (Booz Allen Hamilton); Waltermire, D. A. (NIST); Johnson, M. (Booz Allen Hamilton); Topic Audit & Accountability; Security Automation Family Audit & Accountability; Configuration Management Keywords ARF; Asset Reporting Format; IT management Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Manage System Configurations & Security throughout the System Development Life Cycle Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7694 Cloudburst Security, LLC Page 67 of 77 http://www.cloudburstsecurity.com
  • 68. Status Title Series Pub# Final NISTIR 7695 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Common Platform Enumeration: Naming Specification Version 2.3 Pub Date 8/19/2011 Abstract This report defines the Common Platform Enumeration (CPE) Naming version 2.3 specification. The CPE Naming specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE Naming specification defines the logical structure of names for IT product classes and the procedures for binding and unbinding these names to and from machine-readable encodings. This report also defines and explains the requirements that IT products must meet for conformance with the CPE Naming version 2.3 specification. Authors Cheikes, B. A. (The MITRE Corporation); Waltermire, D. A. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Audit & Accountability; Security Automation Family Audit & Accountability; Configuration Management Keywords Common Platform Enumeration; CPE; SCAP; security automation Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7695 Final NISTIR 7696 Common Platform Enumeration: Name Matching Specification Version 2.3 Pub Date 8/19/2011 Abstract This report defines the Common Platform Enumeration (CPE) Name Matching version 2.3 specification. The CPE Name Matching specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE Name Matching specification provides a method for conducting a one-to-one comparison of a source CPE name to a target CPE name. In addition to defining the specification, this report also defines and explains the requirements that IT products must meet for conformance with the CPE Name Matching version 2.3 specification. Authors Parmelee, M. C. (The MITRE Corporation); Booth III, H. (NIST); Waltermire, D. A. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Audit & Accountability; Security Automation Family Audit & Accountability; Configuration Management Keywords Common Platform Enumeration; CPE; SCAP; security automation Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7696 Final NISTIR 7697 Common Platform Enumeration: Dictionary Specification Version 2.3 Pub Date 8/19/2011 Abstract This report defines the Common Platform Enumeration (CPE) Dictionary version 2.3 specification. The CPE Dictionary Specification is a part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. An individual CPE dictionary is a repository of IT product names, with each name in the repository identifying a unique class of IT product in the world. This specification defines the semantics of the CPE Dictionary data model and the rules associated with CPE dictionary creation and management. This report also defines and explains the requirements that IT products and services, including CPE dictionaries, must meet for conformance with the CPE Dictionary version 2.3 specification. Authors Cichonski, P. R. (NIST); Waltermire, D. A. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Audit & Accountability; Security Automation Family Audit & Accountability; Configuration Management Keywords Common Platform Enumeration; CPE; SCAP; security automation Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7697 Final NISTIR Pub Date Cloudburst Security, LLC 7698 Common Platform Enumeration: Applicability Language Specification Version 2.3 8/19/2011 Page 68 of 77 http://www.cloudburstsecurity.com
  • 69. Status Abstract Series Pub# Final NISTIR 7698 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title This report defines the Common Platform Enumeration (CPE) Applicability Language version 2.3 specification. The CPE Applicability Language specification is part of a stack of CPE specifications that support a variety of use cases relating to IT product description and naming. The CPE Applicability Language data model builds on top of other CPE specifications to provide the functionality required to allow CPE users to construct complex groupings of CPE names to describe IT platforms. These groupings are referred to as applicability statements because they are used to designate which platforms particular guidance, policies, etc. apply to. This report defines the semantics of the CPE Applicability Language data model and the requirements that IT products and CPE Applicability Language documents must meet for conformance with the CPE Applicability Language version 2.3 specification. Authors Waltermire, D. A. (NIST); Cichonski, P. R. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Topic Audit & Accountability; Security Automation Family Audit & Accountability; Configuration Management Keywords Common Platform Enumeration; CPE; SCAP; security automation Legal E-Government Act of 2002/Mandates NIST Development of Security Standards; Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7698 Final NISTIR 7751 Computer Security Division 2010 Annual Report Pub Date 5/31/2011 Abstract This annual report covers the work conducted within the National Institute of Standards and Technology's Computer Security Division during Fiscal Year 2010. It discusses all projects and programs within the Division, staff highlights, and publications. Authors O'Reilly, P. D. (NIST); Topic Annual Reports Keywords annual report, computer security, Computer Security Division, CSD, cyber security, FISMA, highlights, projects Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7751 Draft NISTIR 7756 CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture Pub Date 1/6/2012 Abstract [Second Public Draft] This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts. Authors Mell, P. M. (NIST); Waltermire, D. A. (NIST); Feldman, Larry (Booz Allen Hamilton); Booth, H. (NIST); Ragland, Zach (Booz Allen Hamilton); Ouyang, Alfred (The MITRE Corporation); McBride, Timothy (Department of Homeland Security); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk Assessment; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Communication Protection Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7756 Final NISTIR 7764 Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition Pub Date 2/23/2011 Abstract The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007 to develop a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms currently specified in the Federal Information Processing Standard (FIPS) 180-3, Secure Hash Standard. The competition was NIST’s response to advances in the cryptanalysis of hash algorithms. NIST received sixty-four submissions in October 2008, and selected fifty-one candidate algorithms as the first-round candidates on December 10, 2008, and fourteen as the second-round candidates on July 24, 2009. One year was allocated for the public review of the second-round candidates. On December 9, 2010, NIST announced five SHA-3 finalists to advance to the third (and final) round of the competition. This report summarizes the evaluation and selection of the five finalists – BLAKE, Grøstl, JH, Keccak and Skein. Authors Turan, M. S. (NIST); Perlner, R. A. (NIST); Bassham III, L. E. (NIST); Burr, W. E. (NIST); Chang, D. H. (NIST); Chang, S.-j. H. (NIST); Dworkin, M. J. (NIST); Kelsey, J. M. (NIST); Paul, S. (NIST); Peralta, R. (NIST); Topic Cryptography; Digital Signatures Family Configuration Management Keywords cryptographic hash algorithm; cryptographic hash function; cryptographic hash competition; cryptography; SHA-3 competition Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7764 Cloudburst Security, LLC Page 69 of 77 http://www.cloudburstsecurity.com
  • 70. Status Title Series Pub# Final NISTIR 7771 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title Conformance Test Architecture for Biometric Data Interchange Formats - Version Beta 2.0 Pub Date 3/1/2011 Abstract The success of biometric applications is particularly dependent on the interoperability of biometric systems. Deploying these systems requires a comprehensive portfolio of biometric standards developed in support of interoperability and data interchange. A number of these domestic and international standards have been published and others are under development. The existence of these standards alone is not enough to demonstrate that products meet the technical requirements specified in the standards. Conformance testing captures the technical description of a specification and measures whether an implementation faithfully implements the specification. The Computer Security Division of NIST/ITL supports conformity assessment efforts through active technical participation in the development of conformance testing methodology standards and the development of associated conformance test architectures (CTA) and test suites (CTS). This NIST IR discusses the technological characteristics of the recently released CTA Beta 2.0. This architecture supports CTSs such as the ones designed to test implementations of biometric data interchange data formats. The information provided includes CTA modules communication methods, key CTA features and highlevel sequence diagrams. It also addresses an introduction to testing binary data, structure testing by groups of fields and a discussion on test cases. Ongoing work on related tools development is also addressed. Authors Podio, F. L. (NIST); Yaga, D. J. (NIST); Jerde, M. (NIST); Topic Biometrics; Research Keywords binary data testing; biometrics; conformance test architecture; conformance testing; data interchange; standard implementations; test cases Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7771 Final NISTIR 7773 An Application of Combinatorial Methods to Conformance Testing for Document Object Model Events Pub Date 5/23/2011 Abstract This report describes the use of combinatorial test methods to reduce the cost of testing for the Document Object Model Events standard while maintaining an equivalent level of assurance. More than 36,000 tests – all possible combinations of equivalence class values –were reduced by approximately a factor of 20 with no reduction in error detection effectiveness. Authors Montanez-Rivera, C. (NIST); Kuhn, D. R. (NIST); Brady, M. C. (NIST); Rivello, R. M. (NIST); Reyes Rodriguez, J. (NIST); Powers, M. K. (NIST); Topic Research Family System & Information Integrity Keywords combinatorial testing, conformance testing, Document Object Model, DOM, interoperability testing Legal OMB Circular A-11: Preparation, Submission, and Execution of the Budget/Capital Planning Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7773 Title Final NISTIR 7788 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs Pub Date 9/16/2011 Abstract Today’s information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of vulnerabilities. To more accurately assess the security of enterprise systems, one must understand how vulnerabilities can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This metric for risk mitigation analysis is used to maximize the security of enterprise systems. This methodology based on probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks. Authors Singhal, A. (NIST); Ou, Xinming (Kansas State University); Topic Research Keywords attack detection; attack graphs; computer networks; security risk Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7788 Final NISTIR 7791 Conformance Test Architecture and Test Suite for ANSI/NIST-ITL 1-2007 Pub Date 6/22/2011 Abstract The Computer Security Division of NIST/ITL supports the development of biometric conformance testing methodology standards and other conformity assessment efforts through active technical participation in the development of these standards and the associated conformance test architectures and test suites. The ANSI/NIST-ITL standard "Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information" is used by law enforcement, intelligence, military, and homeland security organizations throughout the world. The current version specified in its Traditional Format, is Part 1: ANSI/NIST-ITL 1-2007. Although a revised and augmented version of the standard is under development, the 2007 version is still widely used. The Conformance Test Architecture and Test Suite described in this publication are designed to test implementations of ANSI/NIST ITL 1-2007. The code (Beta 0.4) is currently designed to support testing of selected record types of the standard but can be extended to support other record types as required. A high-level overview of the architecture and test suite as well as software details and the code structure are provided. A quick start user guide and a comprehensive table of the standard's requirements and the associated implemented conformance test assertions (over five-hundred and thirty) are included. Authors Podio, F. L. (NIST); Yaga, D. J. (NIST); McGinnis, C. J. (NIST); Topic Biometrics; Certification & Accreditation (C&A) Cloudburst Security, LLC Page 70 of 77 http://www.cloudburstsecurity.com
  • 71. Status Keywords Series Pub# Final NISTIR 7791 Draft NISTIR 7799 Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title ANSI/NIST–ITL 1-2007; biometrics; conformance test architecture; conformance testing; data interchange; standard implementations; test assertions http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7791 Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications Pub Date 1/6/2012 Abstract This publication provides the technical specifications for the continuous monitoring (CM2) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored. A companion publication, NIST IR 7800, binds these specifications to specific data domains (e.g., asset, configuration, and vulnerability management). The specifications provided in this document are detailed enough to enable product instrumentation and development. They are also detailed enough to enable product testing, validation, procurement, and interoperability. Taken together, the specifications in this document define an ecosystem where a variety of interoperable products can be composed together to form effective CM solutions. If properly adopted, these specifications will enable teamwork, orchestration, and coordination among CM products that currently operate distinctly. For the computer security domain, this will greatly enhance organizational effectiveness and efficiency in addressing known vulnerabilities and technical policy requirements, and decision making. Authors Mell, P. M. (NIST); Waltermire, D. A. (NIST); Halbardier, A. M.; Feldman, Larry (Booz Allen Hamilton); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk Assessment; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Communication Protection Keywords continuous monitoring Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7799 Draft NISTIR 7800 Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains Pub Date 1/20/2012 Abstract This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain. Authors Waltermire, D. A. (NIST); Halbardier, A. M. (); Humenansky, A. (); Mell, P. M. (NIST); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk Assessment; Security Automation; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Communication Protection Keywords continuous monitoring; vulnerability management Legal Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7800 Final NISTIR 7802 Trust Model for Security Automation Data 1.0 (TMSAD) Pub Date 9/20/2011 Abstract This report defines the Trust Model for Security Automation Data 1.0 (TMSAD), which permits users to establish integrity, authentication, and traceability for security automation data. Since security automation data is primarily stored and exchanged using Extensible Markup Language (XML) documents, the focus of the trust model is on the processing of XML documents. The trust model is composed of recommendations on how to use existing specifications to represent signatures, hashes, key information, and identity information in the context of an XML document within the security automation domain. Authors Booth III, H. (NIST); Halbardier, A. M. (NIST); Topic Audit & Accountability; Authentication; Certification & Accreditation (C&A); Cryptography; Digital Signatures; Security Automation Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Identification & Authentication; System & Information Integrity Cloudburst Security, LLC Page 71 of 77 http://www.cloudburstsecurity.com
  • 72. Status Keywords Series Pub# Final NISTIR 7802 Title digital signatures; SCAP; security automation; Security Content Automation Protocol OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Certify & Accredit Systems Legal Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7802 Final NISTIR 7806 ANSI/NIST-ITL 1-2011 Requirements and Conformance Test Assertions Pub Date 9/16/2011 Abstract The current version of the ANSI/NIST-ITL standard "Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information" is specified in two parts. Part 1, ANSI/NIST-ITL 1-2007, specifies the traditional format, and Part 2, ANSI/NIST-ITL 2-2008, specifies a NIEMconformant XML format. Both parts have been combined into one document, which is being revised and augmented. The Computer Security Division (CSD) of NIST/ITL has developed a set of test assertions based on the requirements specified in the 4th draft of the new ANSI/NIST-ITL standard. Over twelve hundred test assertions have been identified and organized into a set of tables to assist in the development of a conformance test tool designed to test implementations of the new version of the ANSI/NIST-ITL standard for selected record types. These tables were contributed to the Conformance Testing Methodology (CTM) Working Group which was recently established by NIST/ITL to develop a CTM for the new version of the ANSI/NIST-ITL (AN-2011) standard. A ballot was conducted on a revised draft (5th draft) of the AN-2011 standard. A new draft will be developed based on the comments received as a result of this ballot. As the technical content of the AN-2011 draft standard evolves towards approval and publication, and comments on the assertion tables in this document are received, revised versions of these tables will be developed until they fully address the requirements of the approved AN-2011 standard. This publication documents the assertions developed and the terms, operands, and operators used in defining these assertions. Brief information on previous and ongoing conformance test tools development within NIST/ITL CSD is included. Authors McGinnis, C. J. (NIST); Yaga, D. J. (NIST); Podio, F. L. (NIST); Topic Biometrics; Certification & Accreditation (C&A) Keywords ANSI/NIST- ITL 1-2011; biometrics; conformance testing; data interchange; requirements; standard implementations; test assertions Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7806 Final NISTIR 7815 Access Control for SAR Systems Pub Date 11/21/2011 Abstract The Access Control for SAR Systems (ACSS) project focused on developing a prototype privilege management system used to express and enforce policies for controlling access to Suspicious Activity Report (SAR) data within the law enforcement domain. This report details the work conducted for the ACSS project including the design, implementation and integration of distributed software components for rendering policy decisions, storing subject and resource data, and facilitating web-based retrieval of SAR records. Authors Quirolgico, S. (NIST); Hu, V. (NIST); Karygiannis, A. T. (NIST); Topic Authentication Family Access Control; System & Information Integrity Keywords ABAC; access control; law enforcement; policy; privilege management; SAR; Suspicious Activity Report; XACML Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7815 Final NISTIR 7816 Computer Security Division 2011 Annual Report Pub Date 5/8/2012 Abstract Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this law. The primary goal of the Computer Security Division (CSD), a component of NIST s Information Technology Laboratory (ITL), is to provide standards and technology that protects information systems against threats to the confidentiality, integrity, and availability of information and services. During Fiscal Year 2011 (FY 2011), CSD successfully responded to numerous challenges and opportunities in fulfilling that mission. Through CSD's diverse research agenda and engagement in many national priority initiatives, high-quality, cost-effective security and privacy mechanisms were developed and applied that improved information security across the federal government and the greater information security community. This annual report highlights the research agenda and activities in which CSD was engaged during FY 2011. Authors O'Reilly, P. D. (NIST); Topic Annual Reports Keywords Federal Information Security Management Act; FISMA, Computer Security Division; CSD; Information Security Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7816 Final NISTIR Pub Date Cloudburst Security, LLC 7817 A Credential Reliability and Revocation Model for Federated Identities 11/7/2012 Page 72 of 77 http://www.cloudburstsecurity.com
  • 73. Status Abstract Series Pub# Final NISTIR 7817 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title A large number of Identity Management Systems (IDMSs) are being deployed worldwide that use different technologies for the population of their users. With the diverse set of technologies, and the unique business requirements for organizations to federate, there is no uniform approach to the federation process. Similarly, there is no uniform method to revoke credentials or their associated attribute(s) in a federated community. In the absence of a uniform revocation method, this document seeks to investigate credential and attribute revocation with a particular focus on identifying missing requirements. This document first introduces and analyzes the different types of digital credentials and recommends missing revocation-related requirements for each model in a federated environment. As a second goal, and as a by-product of the analysis and recommendations, this paper suggests a credential reliability and revocation service that serves to eliminate the missing requirements. Authors Ferraiolo, H. (NIST); Topic Authentication; Cryptography; General IT Security; Personal Identity Verification (PIV); PKI; Smart Cards Family Access Control; Audit & Accountability; Planning Keywords authentication; assertion; identity management; identity management system (IDMS); information; security; credential; identity attributes Legal Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7817 Draft NISTIR 7823 Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework Pub Date 6/10/2012 Abstract Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The voluntary conformance test requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA) Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s conformance with the NEMA standard. Authors Iorga, M. (NIST); Shorter, S. (Electrosoft Services, Inc.); Topic Cyber-Physical Systems & Smart Grid; Maintenance Family Maintenance Keywords conformance testing; electric grid; smart grid; smart meters Legal Homeland Security Presidential Directive-7 (HSPD-7)/Protect Critical Infrastructure Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7823 Draft NISTIR 7831 Common Remediation Enumeration (CRE) Version 1.0 Pub Date 12/6/2011 Abstract NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries. Authors McGuire, Gerard T. (The MITRE Corporation); Waltermire, D. A. (NIST); Baker, Jonathan O. (The MITRE Corporation); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk Assessment Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Communication Protection Legal Federal Information Security Management Act of 2002 (FISMA)/Detection & Handling of Information Security Incidents; OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Certify & Accredit Systems Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7831 Draft NISTIR 7848 Specification for the Asset Summary Reporting Format 1.0 Pub Date 5/7/2012 Abstract NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications. Authors Davidson, Mark (The MITRE Corporation); Halbardier, A. M. (Booz Allen Hamilton); Waltermire, D. A. (NIST); Topic Audit & Accountability; Certification & Accreditation (C&A); General IT Security; Incident Response; Maintenance; Risk Assessment; Security Automation; Services & Acquisitions Family Audit & Accountability; Certification, Accreditation & Security Assessments; Configuration Management; Incident Response; Maintenance; Risk Assessment; System & Communication Protection Cloudburst Security, LLC Page 73 of 77 http://www.cloudburstsecurity.com
  • 74. Status Keywords Series Pub# Draft NISTIR 7848 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title asset reporting; Asset Summary Reporting Format (ASR); continuous monitoring; information technology; security automation; Security Content Automation Protocol (SCAP), security metrics Federal Information Security Management Act of 2002 (FISMA)/Manage Security Incidents; Legal OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources/Assess Risks Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7848 Final NISTIR 7864 The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities Pub Date 7/10/2012 Abstract The Common Misuse Scoring System (CMSS) is a set of measures of the severity of software feature misuse vulnerabilities. A software feature is a functional capability provided by software. A software feature misuse vulnerability is a vulnerability in which the feature also provides an avenue to compromise the security of a system. Such vulnerabilities are present when the trust assumptions made when designing software features can be abused in ways that violate security. Misuse vulnerabilities allow attackers to use for malicious purposes the functionality that was intended to be beneficial. CMSS can provide measurement data to assist organizations in making sound decisions on addressing software feature misuse vulnerabilities and in conducting quantitative assessments of the overall security posture of a system. This report defines proposed measures for CMSS and equations to be used to combine the measures into severity scores for each vulnerability. The report also provides examples of how CMSS measures and scores would be determined for selected software feature misuse vulnerabilities. Authors LeMay, E. (University of Illinois at Urbana-Champaign); Scarfone, K. A. (Scarfone Cybersecurity); Mell, P. M. (NIST); Topic General IT Security; Risk Assessment Family Configuration Management; Risk Assessment Keywords security measurement; trust misuse; vulnerability measurement; vulnerability scoring Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7864 Final NISTIR 7870 NIST Test Personal Identity Verification (PIV) Cards Pub Date 7/12/2012 Abstract In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, NIST has developed a set of test PIV Cards and a supporting public key infrastructure. This set of test cards includes not only examples that are similar to cards that are currently issued today, but also examples of cards with features that are expected to appear in cards that will be issued in the future. This document provides an overview of the test cards and the infrastructure that has been developed to support their use. Authors Cooper, D. A. (NIST); Topic Certification & Accreditation (C&A); Personal Identity Verification (PIV); Smart Cards Keywords Personal Identity Verification; PIV; smart card; FIPS 201 Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7870 Final NISTIR 7874 Guidelines for Access Control System Evaluation Metrics Pub Date 9/14/2012 Abstract The purpose of this document is to provide Federal agencies with background information on access control (AC) properties, and to help access control experts improve their evaluation of the highest security AC systems. This document discusses the administration, enforcement, performance, and support properties of AC mechanisms that are embedded in each AC system. (Even though this document covers most of the essential AC properties, the listed properties are not necessarily complete.) This document extends the information in NIST IR 7316, Assessment of Access Control Systems [NISTIR 7316], which demonstrates the fundamental concepts of policy, models, and mechanisms of AC systems. Authors Hu, V. C. (NIST); Scarfone, K. A. (Scarfone Cybersecurity); Keywords Access Control, Authorization, Policy, Computer Security Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7874 Title Final NISTIR Pub Date Cloudburst Security, LLC 7877 BioCTS 2012: Advanced Conformance Test Architectures and Test Suites for Biometric Data Interchange Formats and Biometric Information Records 9/14/2012 Page 74 of 77 http://www.cloudburstsecurity.com
  • 75. Status Abstract Series Pub# Final NISTIR 7877 NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) Title The Computer Security Division of NIST/ITL supports the development of biometric conformance testing methodology standards and other conformity assessment efforts through active technical participation in the development of these standards and the associated conformance test architectures and test suites. BioCTS 2012 is biometric conformance test software designed to test implementations for conformance to various biometric data interchange format standards. BioCTS 2012 for ANSI/NIST-ITL 1-2011 tests implementations of NIST SP 500-290 ANSI/NIST ITL 12011 (AN-2011) "Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information" using test assertions documented in NIST SP 500-295, "Conformance Testing Methodology for ANSI/NIST-ITL 1-2011, Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information (Release 1.0)." BioCTS 2012 for ISO/IEC tests implementations of biometric data interchange formats developed by Subcommittee 37 -- Biometrics of the Joint Technical Committee 1 -- Information Technology of ISO and IEC. Support for testing Biometric Information Records (BIRs) conforming to instantiations of the Common Biometric Exchange Formats Framework (CBEFF) specified in national and international standards is also provided. BioCTS 2012 for ANSI/NIST-ITL 1-2011 is currently designed to support testing of implementations that include any of the Record Types defined in AN-2011, but conformance testing is only performed for the selected Record Types (1, 4, 10, 13, 14, 15, and 17). Plans exist to extend the test tool to support additional Record Types. Information regarding BioCTS 2012 testing architectures, code structure, and other software design details is provided. Authors Podio, F. L. (NIST); Yaga, D. J. (NIST); McGinnis, C. J. (NIST); Topic Biometrics; Certification & Accreditation (C&A) Keywords ANSI/NIST-ITL 1-2011; biometric, Biometric Information Records; biometrics; CBEFF; conformance testing; conformance test architecture; data interchange formats ; encoding, NIEM-compliant; encoding, traditional; standards, ISO/IEC 19794; standard implementations; test assertions; testing methodology Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7877 Final NISTIR 7878 Combinatorial Coverage Measurement Pub Date 10/26/2012 Abstract Combinatorial testing applies factor covering arrays to test all t-way combinations of input or configuration state space. In some testing situations, it is not practical to use covering arrays, but any set of tests covers at least some portion of t-way combinations up to t [less than or equal to] n. This report describes measures of combinatorial coverage that can be used in evaluating the degree of t-way coverage of any test suite, regardless of whether it was initially constructed for combinatorial coverage. Authors Kuhn, D. R. (NIST); Kacker, R. N. (NIST); Lei, Yu (University of Texas at Arlington); Topic Research Keywords combinatorial testing; factor covering array; state-space coverage; verification and validation (V&V); t-way testing; configuration model; component interaction failure Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7878 Final NISTIR 7896 Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition Pub Date 11/15/2012 Abstract The National Institute of Standards and Technology (NIST) opened a public competition on November 2, 2007, to develop a new cryptographic hash algorithm – SHA-3, which will augment the hash algorithms specified in the Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS). The competition was NIST’s response to advances in the cryptanalysis of hash algorithms. NIST received sixty-four submissions in October 2008, and selected fifty-one first-round candidates on December 10, 2008; fourteen secondround candidates on July 24, 2009; and five third-round candidates – BLAKE, Grøstl, JH, Keccak and Skein, on December 9, 2010, to advance to the final round of the competition. Eighteen months were provided for the public review of the finalists, and on October 2, 2012, NIST announced the winning algorithm of the SHA-3 competition – Keccak. This report summarizes the evaluation of the five finalists and the selection of the SHA3 winner. Authors Chang, S.-j. (NIST); Perlner, R. A. (NIST); Burr, W. E. (NIST); Turan, M. S. (NIST); Kelsey, J. M. (NIST); Paul, Souradyuti (NIST); Bassham III, L. E. (NIST); Topic Cryptography Keywords Cryptographic hash algorithm; Cryptographic hash function; Cryptography; Cryptographic hash competition; SHA-3 competition. Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7896 Draft NISTIR 7904 Trusted Geolocation in the Cloud: Proof of Concept Implementation Pub Date 12/21/2012 Abstract This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation. Authors Banks, E. K. (); Bartock, M. (NIST); Fiftal, K. (); Lemon, D. (); Scarfone, K. A. (Scarfone Cybersecurity); Shetty, U. (); Souppaya, M. (NIST); Williams, T. (); Yeluri, R. (); Topic Cloud Computing & Virtualization; Research Family Access Control; Audit & Accountability; Configuration Management; System & Communication Protection; System & Information Integrity Cloudburst Security, LLC Page 75 of 77 http://www.cloudburstsecurity.com
  • 76. Status Keywords Series Pub# Draft NISTIR 7904 Title cloud computing; geolocation; Infrastructure as a Service (IaaS); virtualization Federal Information Security Management Act of 2002 (FISMA)/Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category Legal Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7904 Final NISTIR 7916 Proceedings of the Cybersecurity in Cyber-Physical Systems Workshop, April 23-24, 2012 Pub Date 2/1/2013 Abstract Proceedings of the Cybersecurity in Cyber-Physical Workshop, April 23 – 24, 2012, complete with abstracts and slides from presenters. Some of the cyber-physical systems covered during the first day of the workshop included networked automotive vehicles, networked medical devices, semi-conductor manufacturing, and cyber-physical testbeds. Day two of the workshop covered the electric smart grid. Dr. Farnham Jahanian, NSF, was the keynote speaker on day one. Authors Brewer, T. L. (NIST); Topic Conferences & Workshops; Cyber-Physical Systems & Smart Grid Keywords CPS; cyber-physical systems; cybersecurity; networked automotive vehicles; networked medical devices; semi-conductor manufacturing Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7916 Draft NISTIR 7924 Reference Certificate Policy Pub Date 4/22/2013 Abstract The purpose of this document is to identify a baseline set of security controls and practices to support the secure issuance of certificates. This baseline was developed with publicly-trusted Certificate Authorities (CAs) in mind. These CAs, who issue the certificates used to secure websites and sign software, play a particularly important role online. This document formatted as a Reference Certificate Policy (CP). We expect different applications and relying party communities will tailor this document based on their specific needs. It was structured and developed so that the CP developer can fill in sections specific to organizational needs and quickly produce a suitable CP. This Reference CP is consistent with the Internet Engineering Task Force (IETF) Public Key Infrastructure X.509 (IETF PKIX) Certificate Policy and Certification Practices Framework. Authors Booth III, H. (NIST); Regenscheid, A. R. (NIST); Topic Cryptography; PKI Keywords certificate authority; certificate policy; digital certificate; public key infrastructure Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7924 Final NISTIR 7933 Requirements and Conformance Test Assertions for ANSI/NIST-ITL 1-2011 Record Type 18 - DNA Record Pub Date 5/1/2013 Abstract The Computer Security Division (CSD) of NIST/ITL develops conformance test architectures (CTAs) and test suites (CTSs) to support users that require conformance to selected biometric standards. Product developers as well as testing laboratories can also benefit from the use of these tools. This project supports the possible establishment of conformity assessment programs for biometrics and also supports NIST/ITL’s Forensic Science Program by making conformance testing tools available that provide developers, users, and purchasers with increased levels of confidence in product quality and increases the probability of successful interoperability of biometrics and forensic data. One of the test tools is a CTA/CTS designed to test implementations of ANSI/NIST-ITL 1-2011 (AN-2011) “Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information” for selected Record Types based on twelve hundred test assertions previously developed. As part of the process associated with the extension of the first version of BioCTS for AN-2011, NIST/ITL/CSD’s staff identified over two-hundred test assertions necessary to meet the conformance requirements for the AN-2011 Record Type 18- DNA Record. These test assertions are documented using the format specified in NIST Special Publication 500-295, “Conformance Testing Methodology for ANSI/NIST-ITL 1-2011, Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information (Release 1.0)”. Authors Podio, F. L. (NIST); Yaga, D. (NIST); McGinnis, C. J. (NIST) Topic Biometrics; Forensics Keywords ANSI/NIST-ITL 1-2011; biometrics; conformance testing; conformance test architecture; CTA; CTS; BioCTS; conformance test suite; data interchange; DNA data; Record Type 18; test assertions; testing methodology Link Title http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7933 Draft NISTIR 7946 CVSS Implementation Guidance Pub Date 9/4/2013 Abstract This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS specification to score over 50,000 vulnerabilities analyzed by the National Vulnerability Database (NVD). An overview of the CVSS base metrics is first presented followed by guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored IT vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process. Authors Franklin, J. (NIST); Booth III, H. (NIST); Wergin, C. (CocoaSystems Inc.) Topic General IT Security; Security Automation; Viruses & Malware Cloudburst Security, LLC Page 76 of 77 http://www.cloudburstsecurity.com
  • 77. Status Family Series Pub# Draft NISTIR 7946 Keywords Title Configuration Management Common Vulnerability Scoring System Version 2.0; CVSS v2.0; National Vulnerability Database; NVD; security metrics; vulnerabilities; vulnerability scoring Link Title NIST SP 800 Series, FIPS and NISTIR Document Index (October 2013) http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7946 Final NISTIR 7956 Cryptographic Key Management Issues & Challenges in Cloud Services Pub Date 9/18/2013 Abstract To interact with various services in the cloud and to store the data generated/processed by those services, several security capabilities are required. Based on a core set of features in the three common cloud services - Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), we identify a set of security capabilities needed to exercise those features and the cryptographic operations they entail. An analysis of the common state of practice of the cryptographic operations that provide those security capabilities reveals that the management of cryptographic keys takes on an additional complexity in cloud environments compared to enterprise IT environments due to: (a) difference in ownership (between cloud Consumers and cloud Providers) and (b) control of infrastructures on which both the Key Management System (KMS) and protected resources are located. This document identifies the cryptographic key management challenges in the context of architectural solutions that are commonly deployed to perform those cryptographic operations. Authors Chandramouli, R. (NIST); Iorga, M. (NIST); Chokhani, S. (Cygnacom Solutions, Inc.) Topic Cloud Computing & Virtualization; Cryptography; PKI Keywords authentication; cloud services; data protection; encryption; key management system (KMS); Secure Shell (SSH); Transport Layer Security (TLS) Link http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7956 Cloudburst Security, LLC Page 77 of 77 http://www.cloudburstsecurity.com

×